Login Sign Up

CVE-2021-27047

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-27047 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, typically through the Microsoft Store. Users who open malicious video files are at risk of complete system compromise.

💻 Affected Systems

Products:
  • HEVC Video Extensions from Microsoft Store
Versions: All versions prior to security update
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires HEVC Video Extensions to be installed, which is not included by default but commonly installed for video playback support.

📦 What is this software?

High Efficiency Video Coding by Microsoft

View all CVEs affecting High Efficiency Video Coding →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local user account compromise leading to data exfiltration, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application whitelisting and user education preventing malicious file execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious media file. No public exploit code was available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update through Microsoft Store (automatic updates enabled)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047

Restart Required: No

Instructions:

1. Open Microsoft Store 2. Click 'Library' 3. Click 'Get updates' 4. Install HEVC Video Extensions update 5. Alternatively, enable automatic updates in Microsoft Store settings

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if HEVC video playback is not required

Settings > Apps > Apps & features > HEVC Video Extensions > Uninstall

Restrict Media File Execution

windows

Use application control policies to block execution of media files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized media players
  • Educate users about risks of opening media files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Microsoft Store for HEVC Video Extensions updates or verify version in Apps & features settings

Check Version:

Get-AppxPackage -Name Microsoft.HEVCVideoExtension* | Select-Object Version

Verify Fix Applied:

Confirm HEVC Video Extensions shows no available updates in Microsoft Store

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process creation from media player applications
  • HEVC Video Extensions crash events in Application logs

Network Indicators:

  • Outbound connections from media player processes to unexpected destinations

SIEM Query:

Process Creation where (Image contains 'video' OR ParentImage contains 'video') AND CommandLine contains '.hevc' OR '.mp4' OR '.mov'

📊 Metadata

CVE ID: CVE-2021-27047
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON