CVE-2021-28476

Q: What is the severity of CVE-2021-28476?

CVE-2021-28476 has a CVSS score of 9.9 (CRITICAL). CVE-2021-28476 is a critical remote code execution vulnerability in Windows Hyper-V's vmswitch.sys driver. It allows attackers to execute arbitrary code with SYSTEM privileges on Hyper-V host systems by sending specially crafted packets to the virtual switch. This affects organizations running Windows Server with Hyper-V enabled.

9.9 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2021-28476 is a critical remote code execution vulnerability in Windows Hyper-V's vmswitch.sys driver. It allows attackers to execute arbitrary code with SYSTEM privileges on Hyper-V host systems by sending specially crafted packets to the virtual switch. This affects organizations running Windows Server with Hyper-V enabled.

💻 Affected Systems

Products:

Windows Server
Windows Hyper-V

Versions: Windows Server 2019, Windows Server 2016, Windows Server version 2004, Windows Server version 20H2

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Hyper-V role enabled. Workstations and client Windows versions are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Hyper-V host allowing attacker to execute arbitrary code as SYSTEM, potentially gaining control over all virtual machines and host resources.

🟠

Likely Case

Attacker gains SYSTEM privileges on Hyper-V host, enabling lateral movement to other systems, data exfiltration, and deployment of ransomware or other malware.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated virtualization environment with no access to critical production systems.

🌐 Internet-Facing: MEDIUM - Requires network access to Hyper-V host management interfaces, which should not be internet-facing in properly configured environments.

🏢 Internal Only: HIGH - If exploited internally, provides complete host compromise and potential access to all hosted VMs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept code is publicly available. Exploitation requires network access to the Hyper-V host's virtual switch.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2021 security updates (KB5003173 for Server 2019, KB5003197 for Server 2016)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28476

Restart Required: Yes

Instructions:

1. Apply May 2021 Windows Server security updates from Microsoft Update. 2. Restart the Hyper-V host server. 3. Verify patch installation via Windows Update history or systeminfo command.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Hyper-V management networks from general corporate networks and restrict access to Hyper-V hosts.

Disable Unused Virtual Switches

windows

Remove or disable any virtual switches that are not required for operations.

Remove-VMSwitch -Name "SwitchName" -Force

🧯 If You Can't Patch

Implement strict network access controls to Hyper-V hosts, allowing only authorized management systems
Monitor network traffic to Hyper-V hosts for anomalous patterns and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check if Hyper-V role is enabled and system is running affected Windows Server versions without May 2021 patches.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5003173 (Server 2019) or KB5003197 (Server 2016) is installed via 'systeminfo' or 'Get-HotFix -Id KB5003173'.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: System crashes in vmswitch.sys, unexpected process creation with SYSTEM privileges
Hyper-V logs: Unusual virtual switch activity

Network Indicators:

Unusual network traffic patterns to Hyper-V management interfaces
Suspicious packets targeting virtual switch ports

SIEM Query:

EventID=1000 OR EventID=1001 Source="vmswitch.sys" OR ProcessName="powershell.exe" ParentProcess="svchost.exe"

📊 Metadata

CVE ID: CVE-2021-28476

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Published: May 11, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163497/Microsoft-Hyper-V-vmswitch.sys-Proof-Of-Concept.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28476 Patch,Vendor Advisory
http://packetstormsecurity.com/files/163497/Microsoft-Hyper-V-vmswitch.sys-Proof-Of-Concept.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28476 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Disable Unused Virtual Switches

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export