CVE-2021-31979
📋 TL;DR
This is a Windows kernel elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. It affects Windows operating systems and requires an attacker to already have some level of access to the target system. The vulnerability exists in how the Windows kernel improperly handles objects in memory.
💻 Affected Systems
- Windows 10
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 2004 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM privileges on the target system, enabling complete control, data theft, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from a standard user or lower-privileged account to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
Limited impact due to proper patch management, endpoint protection, and least privilege principles preventing initial access.
🎯 Exploit Status
Exploits have been observed in the wild. CISA lists this as known exploited. Requires authenticated access but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: June 2021 security updates (KB5003637 for Windows 10 2004/20H2/21H1, KB5003635 for Server 2019, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979
Restart Required: Yes
Instructions:
1. Apply June 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
No known workarounds
windowsMicrosoft has not identified any workarounds for this vulnerability
🧯 If You Can't Patch
- Implement strict least privilege principles to limit initial access opportunities
- Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if June 2021 security updates are installed via 'wmic qfe list' or 'Get-Hotfix' in PowerShellCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5003637 (or equivalent for your OS version) is installed and system has been restarted📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unexpected SYSTEM privilege processes
- Event ID 4672 (special privileges assigned)
Network Indicators:
- Unusual outbound connections from SYSTEM context processes
- Lateral movement attempts following privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"