CVE-2021-31956
📋 TL;DR
CVE-2021-31956 is a Windows NTFS elevation of privilege vulnerability that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows operating systems with NTFS file systems. Attackers must already have local user access to exploit this vulnerability.
💻 Affected Systems
- Windows 10
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 2004 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.
Likely Case
Malicious insiders or attackers with initial access escalate privileges to bypass security controls, install malware, or access sensitive data.
If Mitigated
With proper access controls and monitoring, impact is limited to the compromised user account without privilege escalation.
🎯 Exploit Status
Exploit code is publicly available and has been observed in real-world attacks. Requires local authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: June 2021 security updates (KB5003637 for Windows 10 2004/20H2/21H1, KB5003635 for Windows Server 2019, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956
Restart Required: Yes
Instructions:
1. Apply June 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict local user access
windowsLimit user accounts with local access to systems to reduce attack surface
Implement least privilege
windowsEnsure users operate with minimal necessary privileges to limit impact of successful exploitation
🧯 If You Can't Patch
- Implement strict access controls and monitoring for privileged accounts
- Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for June 2021 security updates or run: wmic qfe list | findstr KB5003637Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify June 2021 security updates are installed via Windows Update or command: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unexpected SYSTEM privilege acquisition
- Event ID 4672 (special privileges assigned to new logon)
Network Indicators:
- Unusual outbound connections from systems after local user login
- Lateral movement attempts from previously low-privilege accounts
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"