Login Sign Up

CVE-2021-31945

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-31945 is a remote code execution vulnerability in Microsoft Paint 3D that allows attackers to execute arbitrary code by tricking users into opening specially crafted files. This affects users of Paint 3D on Windows systems. Successful exploitation requires user interaction to open a malicious file.

💻 Affected Systems

Products:
  • Microsoft Paint 3D
Versions: All versions prior to security updates
Operating Systems: Windows 10, Windows 11
Default Config Vulnerable: ⚠️ Yes
Notes: Paint 3D is included by default in Windows 10 and 11 installations. Vulnerability requires user to open malicious file.

📦 What is this software?

Paint 3d by Microsoft

View all CVEs affecting Paint 3d →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the current user, potentially leading to malware installation or data exfiltration.

🟢

If Mitigated

Limited impact due to user account restrictions, with potential for isolated application compromise but no system-wide access.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious files, not directly exploitable over network without user action.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious files on network shares, but still requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious file. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2021 security updates or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31945

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available updates. 4. Restart computer if prompted.

🔧 Temporary Workarounds

Disable Paint 3D file associations

windows

Prevent Paint 3D from automatically opening potentially malicious files

Open Settings > Apps > Default apps > Choose default apps by file type > Change .3mf, .fbx, .obj, .ply, .stl associations to another application

Uninstall Paint 3D

windows

Remove vulnerable application from system

Open PowerShell as Administrator
Get-AppxPackage *Microsoft.MSPaint* | Remove-AppxPackage

🧯 If You Can't Patch

  • Implement application whitelisting to block Paint 3D execution
  • Deploy email/web filtering to block malicious file attachments and downloads

🔍 How to Verify

Check if Vulnerable:

Check if Paint 3D is installed and if June 2021 security updates are not applied

Check Version:

Get-AppxPackage Microsoft.MSPaint | Select Version

Verify Fix Applied:

Verify Windows Update history shows June 2021 security updates installed and Paint 3D version is updated

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing Paint 3D crashes or unexpected process creation
  • Security logs showing file execution from unusual locations

Network Indicators:

  • Outbound connections from Paint 3D process to suspicious IPs
  • DNS queries for command and control domains

SIEM Query:

Process Creation where Image contains 'Paint3D' AND CommandLine contains suspicious file extensions (.3mf, .fbx, .obj, .ply, .stl)

📊 Metadata

CVE ID: CVE-2021-31945
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON