Login Sign Up

CVE-2021-28466

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-28466 is a remote code execution vulnerability in Microsoft's Raw Image Extension that allows attackers to execute arbitrary code by tricking users into opening a specially crafted raw image file. This affects Windows users who have the Raw Image Extension installed, particularly those who open untrusted image files from email or web sources.

💻 Affected Systems

Products:
  • Microsoft Raw Image Extension
Versions: All versions prior to the patched version
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction to open malicious raw image file; extension must be installed from Microsoft Store

📦 What is this software?

Raw Image Extension by Microsoft

View all CVEs affecting Raw Image Extension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious raw image files.

🟢

If Mitigated

Limited impact with proper user education and security controls preventing execution of malicious files, though some productivity disruption may occur.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious file; no public exploit code available as of last analysis

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated via Microsoft Store (automatic updates)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28466

Restart Required: No

Instructions:

1. Open Microsoft Store 2. Click 'Library' 3. Click 'Get updates' 4. Install updates for Raw Image Extension

🔧 Temporary Workarounds

Disable Raw Image Extension

windows

Uninstall or disable the Raw Image Extension to prevent exploitation

Start > Settings > Apps > Apps & features > Raw Image Extension > Uninstall

Block raw image file extensions

windows

Use Group Policy or security software to block opening of raw image files

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized programs
  • Educate users about risks of opening untrusted image files and implement email/web filtering for suspicious attachments

🔍 How to Verify

Check if Vulnerable:

Check Raw Image Extension version in Microsoft Store > Library > Updates

Check Version:

Not applicable - extension updated via Microsoft Store

Verify Fix Applied:

Verify Raw Image Extension shows as up to date in Microsoft Store

📡 Detection & Monitoring

Log Indicators:

  • Process creation events from RawImageExtension.exe with suspicious parameters
  • Windows Defender or antivirus alerts for raw image files

Network Indicators:

  • Outbound connections from RawImageExtension.exe to suspicious IPs
  • DNS queries for known malicious domains

SIEM Query:

ProcessName="RawImageExtension.exe" AND (CommandLine CONTAINS "malicious" OR ParentProcessName="explorer.exe")

📊 Metadata

CVE ID: CVE-2021-28466
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON