Login Sign Up

CVE-2021-3331

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-3331 is a remote code execution vulnerability in WinSCP's URL handler that allows attackers to execute arbitrary programs when a crafted URL loads malicious session settings. This affects all users running WinSCP versions before 5.17.10, particularly those with WinSCP configured as the default handler for sftp:// URLs.

💻 Affected Systems

Products:
  • WinSCP
Versions: All versions before 5.17.10
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Default installations where WinSCP is registered as the handler for sftp:// URLs are vulnerable. The vulnerability is triggered when processing crafted URLs that load malicious session settings.

📦 What is this software?

Winscp by Winscp

View all CVEs affecting Winscp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Arbitrary code execution with the privileges of the logged-in user, allowing attackers to steal credentials, install malware, or access sensitive files.

🟢

If Mitigated

Limited impact if URL handling is disabled or proper network segmentation prevents external exploitation attempts.

🌐 Internet-Facing: HIGH - Exploitable via crafted URLs that could be delivered through phishing emails, malicious websites, or other web-based attack vectors.
🏢 Internal Only: MEDIUM - Still exploitable via internal phishing or malicious links, but requires user interaction to trigger the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking a malicious link), but the technical complexity is low once the malicious URL is crafted. The vulnerability is in the URL parsing mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.17.10 and later

Vendor Advisory: https://winscp.net/eng/docs/history#5.17.10

Restart Required: No

Instructions:

1. Download WinSCP 5.17.10 or later from the official website. 2. Run the installer and follow the installation prompts. 3. No system restart is required, but you may need to restart WinSCP if it's currently running.

🔧 Temporary Workarounds

Disable URL Protocol Handler

windows

Unregister WinSCP as the default handler for sftp:// URLs to prevent exploitation via malicious links.

reg delete "HKCU\Software\Classes\sftp" /f
reg delete "HKLM\Software\Classes\sftp" /f

Use Alternative SFTP Client

windows

Temporarily use a different SFTP client that is not vulnerable while waiting to patch WinSCP.

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized programs
  • Use network segmentation to restrict access to systems running vulnerable WinSCP versions

🔍 How to Verify

Check if Vulnerable:

Check WinSCP version via Help > About menu. If version is below 5.17.10, the system is vulnerable.

Check Version:

winscp.com /version

Verify Fix Applied:

After updating, verify the version is 5.17.10 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from WinSCP
  • Suspicious command-line arguments in WinSCP processes
  • Failed attempts to load malicious session settings

Network Indicators:

  • Unusual outbound connections from WinSCP process
  • HTTP/HTTPS requests to suspicious domains from WinSCP

SIEM Query:

Process Creation where (Image contains "winscp.exe" AND CommandLine contains "rawsettings" OR CommandLine contains unusual parameters)

📊 Metadata

CVE ID: CVE-2021-3331
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON