CVE-2021-26432
📋 TL;DR
CVE-2021-26432 is a remote code execution vulnerability in the Windows Services for NFS ONCRPC XDR Driver. An attacker can exploit this by sending specially crafted requests to an affected system, potentially gaining SYSTEM privileges. This affects Windows systems with NFS services enabled.
💻 Affected Systems
- Windows Server
- Windows 10
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attacker to install programs, view/change/delete data, or create new accounts.
Likely Case
Remote code execution leading to malware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if NFS services are disabled or network access is restricted; successful exploitation still leads to SYSTEM privileges.
🎯 Exploit Status
Exploitation requires network access to NFS services. Public proof-of-concept code exists, making attacks more feasible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2021 security updates (e.g., KB5000802 for Windows 10 20H2)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26432
Restart Required: Yes
Instructions:
1. Apply the March 2021 security update from Windows Update. 2. Restart the system. 3. Verify the patch is installed via system information.
🔧 Temporary Workarounds
Disable NFS Services
windowsDisable Windows Services for NFS if not required, removing the attack surface.
sc config nfssvc start= disabled
sc stop nfssvc
Block NFS Ports
windowsnetsh advfirewall firewall add rule name="Block NFS" dir=in action=block protocol=TCP localport=2049
netsh advfirewall firewall add rule name="Block NFS UDP" dir=in action=block protocol=UDP localport=2049
🧯 If You Can't Patch
- Disable Windows Services for NFS via services.msc or command line.
- Implement network segmentation to restrict access to NFS services from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check if NFS services are installed and running: sc query nfssvc. If service exists and is running, system may be vulnerable if unpatched.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify March 2021 security update is installed via: wmic qfe list | findstr KB5000802 (or relevant KB for your OS version).📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) from NFS-related processes
- Unexpected network connections to port 2049 (NFS)
Network Indicators:
- Unusual traffic to NFS port 2049 from unexpected sources
- Malformed RPC/XDR packets
SIEM Query:
source="windows" event_id=4688 process_name="*nfs*" OR destination_port=2049