Login Sign Up

CVE-2021-27061

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-27061 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, typically through the Microsoft Store. Users who open malicious video files are at risk.

💻 Affected Systems

Products:
  • HEVC Video Extensions from Microsoft Store
Versions: Versions prior to the February 2021 update
Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where HEVC Video Extensions are installed from Microsoft Store. Systems using hardware-based HEVC decoding or other codec implementations are not affected.

📦 What is this software?

High Efficiency Video Coding by Microsoft

View all CVEs affecting High Efficiency Video Coding →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local user account compromise when a user opens a malicious video file, allowing attackers to execute code with the user's privileges and potentially escalate to higher privileges.

🟢

If Mitigated

Limited impact with proper application whitelisting, restricted user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious file). No public exploit code was available at the time of disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated version available through Microsoft Store

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Click on 'Library' in bottom left. 3. Click 'Get updates' to update all apps. 4. Alternatively, search for 'HEVC Video Extensions' and update manually.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if not needed for business operations

Get-AppxPackage *HEVC* | Remove-AppxPackage

Disable automatic media file opening

windows

Configure Windows to not automatically open media files from untrusted sources

🧯 If You Can't Patch

  • Implement application control policies to block execution of HEVC Video Extensions
  • Educate users about the risks of opening media files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVC* | Select Name, Version

Check Version:

Get-AppxPackage *HEVC* | Select Name, Version

Verify Fix Applied:

Verify HEVC Video Extensions version is updated to February 2021 or later release

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing HEVC Video Extensions crashes
  • Application logs showing unexpected media file processing

Network Indicators:

  • Unusual outbound connections following media file opening
  • DNS requests to suspicious domains after video playback

SIEM Query:

EventID=1000 AND Source='Application Error' AND ProcessName LIKE '%HEVC%'

📊 Metadata

CVE ID: CVE-2021-27061
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON