Login Sign Up

CVE-2021-26862

7.0 HIGH

📋 TL;DR

CVE-2021-26862 is a Windows Installer elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting improper handling of file operations. This affects Windows systems where attackers have local access and can manipulate installer operations.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10 versions 20H2, 2004, 1909, 1903, 1809, 1803; Windows Server 2019, 2016; Windows 8.1; Windows Server 2012 R2; Windows 7 SP1; Windows Server 2008 SP2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access and ability to execute installer operations. Not exploitable remotely without initial access.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, persistence mechanisms, and lateral movement.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM privileges, allowing installation of malware, disabling security controls, or accessing protected resources.

🟢

If Mitigated

Limited impact with proper user access controls, application whitelisting, and monitoring in place, potentially preventing successful exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the target system.
🏢 Internal Only: HIGH - Internal attackers with standard user privileges can exploit this to gain SYSTEM privileges on affected Windows systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local authenticated access. Proof-of-concept code has been published, making exploitation straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2021 security updates (KB5000802 for most versions)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862

Restart Required: Yes

Instructions:

1. Apply March 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Verify update installation with 'wmic qfe list' command.

🔧 Temporary Workarounds

Restrict installer permissions

windows

Limit user permissions to execute Windows Installer operations through Group Policy or application control policies.

Configure via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Installer

Implement least privilege

windows

Ensure users operate with minimal necessary privileges to reduce attack surface.

🧯 If You Can't Patch

  • Implement application control policies to restrict execution of unauthorized installer operations
  • Monitor for suspicious installer activity and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates. Vulnerable if running affected versions without March 2021 security updates.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5000802 or equivalent March 2021 security update is installed via 'wmic qfe list | findstr KB5000802' or check Windows Update history.

📡 Detection & Monitoring

Log Indicators:

  • Windows Installer service events with unusual privilege escalation
  • Event ID 11707, 11724 from MSIInstaller
  • Unexpected SYSTEM privilege processes spawned from user contexts

Network Indicators:

  • Not applicable - local exploitation only

SIEM Query:

EventID=11707 OR EventID=11724 | where ProcessName contains "msiexec" | where User contains "SYSTEM" and ParentUser != "SYSTEM"

📊 Metadata

CVE ID: CVE-2021-26862
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26862, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)