CVE-2021-36945
📋 TL;DR
This vulnerability allows a local authenticated attacker to execute arbitrary code with SYSTEM privileges on affected Windows systems. It affects Windows 10 and Windows Server systems where the Windows Update Assistant is present, enabling privilege escalation from a standard user account to full system control.
💻 Affected Systems
- Windows 10
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact with proper patch management and least privilege principles, though local authenticated users could still attempt exploitation.
🎯 Exploit Status
Exploitation requires local authenticated access. Public proof-of-concept code exists, making exploitation straightforward for attackers with user-level access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates from August 2021 (KB5005033 for Windows 10 21H1, KB5005031 for 20H2, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36945
Restart Required: Yes
Instructions:
1. Apply the August 2021 Windows security updates. 2. Restart the system. 3. Verify the update is installed via Windows Update history or system information.
🔧 Temporary Workarounds
Remove Windows Update Assistant
windowsUninstall the Windows Update Assistant component if not needed for system operations
Control Panel > Programs > Uninstall a program > Select Windows Update Assistant > Uninstall
Restrict local user privileges
windowsImplement least privilege by removing local administrator rights from standard users
🧯 If You Can't Patch
- Remove Windows Update Assistant from all affected systems
- Implement strict access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Windows Update Assistant is installed via Control Panel > Programs and Features, and verify Windows version is within affected rangeCheck Version:
winverVerify Fix Applied:
Verify August 2021 security updates are installed via Settings > Update & Security > View update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with parent process related to Windows Update Assistant
- Unexpected SYSTEM privilege processes spawned from user contexts
- Windows Update Assistant execution with unusual parameters
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND (ParentImage LIKE '%WindowsUpdateAssistant%' OR NewProcessName LIKE '%WindowsUpdateAssistant%')