CVE-2021-28477

7.0 HIGH

Remote Code Execution

📋 TL;DR

CVE-2021-28477 is a remote code execution vulnerability in Visual Studio Code that allows attackers to execute arbitrary code on a user's system by tricking them into opening a malicious workspace file. This affects users who open untrusted workspace files in Visual Studio Code. The vulnerability requires user interaction but can lead to full system compromise.

💻 Affected Systems

Products:

• Visual Studio Code

Versions: Versions prior to 1.56.0

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of Visual Studio Code prior to version 1.56.0 are vulnerable when opening untrusted workspace files.

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files, credentials, or system resources on the affected machine.

🟢

If Mitigated

Limited impact with proper security controls like application whitelisting, network segmentation, and user awareness training preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening a malicious workspace file) but the technical complexity is low once the malicious file is executed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.56.0 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28477

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Click on Help menu. 3. Select Check for Updates. 4. Install version 1.56.0 or later. 5. Restart Visual Studio Code after installation.

🔧 Temporary Workarounds

Disable automatic workspace trust

all

Configure Visual Studio Code to require explicit trust for all workspace files

Copy

Add "security.workspace.trust.enabled": false to settings.json

Restrict workspace file execution

all

🧯 If You Can't Patch

• Implement strict user awareness training about opening untrusted workspace files
• Use network segmentation to isolate systems running vulnerable Visual Studio Code versions

🔍 How to Verify

Check if Vulnerable:

Copy

Check Visual Studio Code version by opening Help > About. If version is below 1.56.0, the system is vulnerable.

Check Version:

Copy

code --version

Verify Fix Applied:

Copy

Verify Visual Studio Code version is 1.56.0 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

• Unusual process execution from Visual Studio Code
• Suspicious workspace file access patterns
• Unexpected network connections from code.exe

Network Indicators:

• Outbound connections to unknown IPs from Visual Studio Code process
• DNS queries for suspicious domains from code.exe

SIEM Query:

Copy

process_name:"code.exe" AND (parent_process:"explorer.exe" OR command_line:"*.code-workspace")

📊 Metadata

CVE ID: CVE-2021-28477

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28477 Patch,Vendor Advisory
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28477 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON