Login Sign Up

CVE-2021-26867

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows an authenticated attacker on a guest virtual machine to execute arbitrary code on the Hyper-V host. It affects Windows systems running Hyper-V with specific configurations, potentially leading to host compromise from a guest VM.

💻 Affected Systems

Products:
  • Windows Hyper-V
Versions: Windows 10 versions 20H2, 2004, 1909, 1903; Windows Server versions 20H2, 2004, 1909, 1903
Operating Systems: Windows 10, Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Hyper-V role enabled with guest VMs running; affects both client and server editions.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Hyper-V host, allowing attacker to control all guest VMs, access host data, and pivot to other systems.

🟠

Likely Case

Attacker gains elevated privileges on the host, potentially installing malware, stealing data, or disrupting virtualization services.

🟢

If Mitigated

Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: LOW - Hyper-V hosts should not be directly internet-facing; exploitation requires guest VM access.
🏢 Internal Only: HIGH - If an attacker gains access to a guest VM, they could exploit this to compromise the virtualization infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to a guest VM; Microsoft has not disclosed technical details to prevent exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2021 security updates (KB5000802 for Windows 10, KB5000803 for Windows Server)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867

Restart Required: Yes

Instructions:

1. Apply March 2021 security updates via Windows Update. 2. For enterprise: Deploy through WSUS or SCCM. 3. Restart affected systems after patching.

🔧 Temporary Workarounds

Disable Hyper-V if not needed

windows

Remove Hyper-V role from systems where virtualization is not required

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

Network segmentation

all

Isolate Hyper-V management networks from regular user networks

🧯 If You Can't Patch

  • Implement strict access controls to guest VMs and monitor for suspicious activity
  • Segment Hyper-V hosts on isolated management networks with firewall rules limiting connections

🔍 How to Verify

Check if Vulnerable:

Check if system has Hyper-V enabled and is running affected Windows versions without March 2021 patches

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5000802 (Windows 10) or KB5000803 (Windows Server) is installed via 'Get-HotFix -Id KB5000802' or checking Windows Update history

📡 Detection & Monitoring

Log Indicators:

  • Unusual Hyper-V service activity
  • Failed authentication attempts to Hyper-V components
  • Suspicious process creation on host from VM context

Network Indicators:

  • Anomalous network traffic between VMs and host management interfaces
  • Unexpected RPC/DCOM connections to Hyper-V services

SIEM Query:

EventID=4688 AND ProcessName LIKE '%vmwp%' AND CommandLine CONTAINS suspicious_pattern

📊 Metadata

CVE ID: CVE-2021-26867
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON