Login Sign Up

CVE-2021-31985

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-31985 is a remote code execution vulnerability in Microsoft Defender's MpEngine that allows attackers to execute arbitrary code with SYSTEM privileges by exploiting memory corruption. This affects systems running Microsoft Defender Antivirus and Microsoft Defender for Endpoint. The vulnerability requires the attacker to trick a user into opening a specially crafted file.

💻 Affected Systems

Products:
  • Microsoft Defender Antivirus
  • Microsoft Defender for Endpoint
Versions: Versions prior to security updates released in June 2021
Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022, Windows 11
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Microsoft Defender enabled (default on Windows). Microsoft Defender for Endpoint on macOS/Linux is not affected.

📦 What is this software?

Malware Protection Engine by Microsoft

View all CVEs affecting Malware Protection Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, lateral movement, and persistence.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or ransomware deployment on individual endpoints.

🟢

If Mitigated

Limited impact with proper endpoint protection, network segmentation, and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious files, but could be delivered via phishing or compromised websites.
🏢 Internal Only: HIGH - Once inside the network, attackers could exploit this to escalate privileges and move laterally across systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires user interaction to open malicious file. Proof-of-concept code has been published, making exploitation more accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released June 8, 2021 (KB5003637 for Windows 10 2004/20H2/21H1)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31985

Restart Required: Yes

Instructions:

1. Apply Microsoft security updates from June 2021. 2. For Windows 10/11: Use Windows Update or manually install KB5003637. 3. For Windows Server: Apply corresponding security updates. 4. Restart systems to complete installation.

🔧 Temporary Workarounds

Disable Microsoft Defender Real-time Protection

windows

Temporarily disable real-time scanning to prevent exploitation (not recommended long-term)

Set-MpPreference -DisableRealtimeMonitoring $true

Restrict File Execution

windows

Use AppLocker or similar to restrict execution of untrusted files

🧯 If You Can't Patch

  • Implement strict application whitelisting to prevent execution of untrusted files
  • Enhance email filtering and web protection to block delivery of malicious files

🔍 How to Verify

Check if Vulnerable:

Check Microsoft Defender version: Get-MpComputerStatus | Select AntivirusEngineVersion

Check Version:

Get-MpComputerStatus | Select AntivirusEngineVersion

Verify Fix Applied:

Verify installed updates: Get-HotFix | Where {$_.HotFixID -like "KB5003637*"}

📡 Detection & Monitoring

Log Indicators:

  • Microsoft Defender crash logs (Event ID 1000)
  • Unexpected process creation from MsMpEng.exe
  • Suspicious file scanning activity

Network Indicators:

  • Outbound connections from MsMpEng.exe to unusual destinations
  • DNS requests for known exploit domains

SIEM Query:

EventID=1000 AND Source="Microsoft-Windows-Windows Defender" AND ProcessName="MsMpEng.exe"

📊 Metadata

CVE ID: CVE-2021-31985
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON