CVE-2021-27086
📋 TL;DR
CVE-2021-27086 is an elevation of privilege vulnerability in the Windows Service Control Manager (SCM) that allows authenticated attackers to bypass remote access checks and execute code with SYSTEM privileges. This affects Windows systems where an attacker has initial access with standard user permissions. The vulnerability enables local privilege escalation from a lower-privileged account to full system control.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker with initial access can gain SYSTEM privileges, enabling complete system compromise, credential theft, lateral movement, and persistence establishment across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, access sensitive data, and maintain persistence on compromised systems.
If Mitigated
Limited impact with proper network segmentation, least privilege enforcement, and endpoint protection that can detect and block privilege escalation attempts.
🎯 Exploit Status
Exploit requires authenticated access; public proof-of-concept code exists and demonstrates reliable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2021 security updates (KB5000802, KB5000808, KB5000809, KB5000822 depending on Windows version)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27086
Restart Required: Yes
Instructions:
1. Apply March 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict SCM Remote Access
windowsConfigure Windows Firewall to block remote access to Service Control Manager (TCP port 135 and related RPC ports)
netsh advfirewall firewall add rule name="Block SCM Remote" dir=in action=block protocol=TCP localport=135,445,49152-65535
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare with affected versions list; verify if March 2021 security updates are installedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5000802, KB5000808, KB5000809, or KB5000822 is installed via 'wmic qfe list' or 'Get-Hotfix' PowerShell command📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unexpected SYSTEM privilege processes from user accounts
- Event ID 4697 (service installation) from non-administrative users
Network Indicators:
- Unusual RPC connections to SCM from non-admin workstations
- SMB connections followed by service creation attempts
SIEM Query:
source="windows_security" event_id=4688 OR event_id=4697 | where user_account!="SYSTEM" AND process_name contains "sc.exe" OR parent_process contains "sc.exe"🔗 References
- http://packetstormsecurity.com/files/162157/Microsoft-Windows-SCM-Remote-Access-Check-Limit-Bypass-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27086
- http://packetstormsecurity.com/files/162157/Microsoft-Windows-SCM-Remote-Access-Check-Limit-Bypass-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27086
