Login Sign Up

CVE-2021-27049

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-27049 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed. Attackers could gain the same user rights as the current user.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to the March 2021 security update
Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where HEVC Video Extensions are installed. This is an optional component but commonly installed for video playback.

📦 What is this software?

High Efficiency Video Coding by Microsoft

View all CVEs affecting High Efficiency Video Coding →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing malware, stealing data, and creating persistent backdoors.

🟠

Likely Case

Attacker gains user-level privileges to execute code, install ransomware, or steal sensitive files accessible to the user account.

🟢

If Mitigated

Limited impact due to patched systems, restricted user privileges, and application whitelisting preventing malicious code execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, web downloads, or messaging apps.
🏢 Internal Only: MEDIUM - Similar risk internally if users open malicious files from network shares or internal communications.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious media file. No publicly available exploit code as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version 1.0.41881.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Click on 'Library' or 'Downloads and updates'. 3. Check for updates for HEVC Video Extensions. 4. Install available updates. 5. Alternatively, update through Windows Update for systems with automatic updates enabled.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if not needed for business operations

Get-AppxPackage *HEVCVideoExtension* | Remove-AppxPackage

Restrict media file execution

windows

Use application control policies to block execution of media files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Restrict user privileges to standard user accounts (not administrator)

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVCVideoExtension* | Select Version

Check Version:

Get-AppxPackage *HEVCVideoExtension* | Select Name, Version

Verify Fix Applied:

Verify version is 1.0.41881.0 or higher using same PowerShell command

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing crashes in HEVCVideoExtension.exe
  • Application logs showing unexpected media file processing

Network Indicators:

  • Unusual outbound connections after media file processing
  • Downloads of suspicious media files

SIEM Query:

EventID=1000 AND Source='Application Error' AND ProcessName='HEVCVideoExtension.exe'

📊 Metadata

CVE ID: CVE-2021-27049
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON