CVE-2021-36975 – CVE-2021-36975 is a Win32k elevation of privile... (How to Fix)

Q: What is the severity of CVE-2021-36975?

CVE-2021-36975 has a CVSS score of 7.8 (HIGH). CVE-2021-36975 is a Win32k elevation of privilege vulnerability in Windows that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted applications. The vulnerability enables privilege escalation from a lower-privileged account to full system control.

📋 TL;DR

CVE-2021-36975 is a Win32k elevation of privilege vulnerability in Windows that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted applications. The vulnerability enables privilege escalation from a lower-privileged account to full system control.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows Server 2022; Windows 11

Operating Systems: Windows 10, Windows 11, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have ability to execute code on target system. Not exploitable remotely without existing access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data destruction.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install backdoors, and access sensitive system resources.

🟢

If Mitigated

Limited impact with proper access controls, application whitelisting, and least privilege principles in place.

🌐 Internet-Facing: LOW - Requires local access and authenticated user context, not directly exploitable over network.

🏢 Internal Only: HIGH - Significant risk in environments with shared workstations, terminal servers, or where users can run arbitrary code.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to run code. Multiple proof-of-concepts exist in security research community.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2021 security updates (KB5005033 for Windows 10 21H1, KB5005031 for Windows 10 20H2, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36975

Restart Required: Yes

Instructions:

1. Apply August 2021 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation with 'wmic qfe list' showing appropriate KB.

🔧 Temporary Workarounds

Restrict local code execution

windows

Implement application control policies to prevent unauthorized code execution

Use AppLocker or Windows Defender Application Control policies

Least privilege enforcement

windows

Ensure users operate with minimal necessary privileges

Configure User Account Control (UAC) to highest setting
Use standard user accounts for daily operations

🧯 If You Can't Patch

Implement strict application whitelisting to prevent unauthorized code execution
Enforce network segmentation to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates: 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"' and 'wmic qfe list | findstr KB500503'

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify August 2021 security updates are installed: 'wmic qfe get hotfixid | findstr KB500503' returns matching KB number

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with unusual parent processes
UAC bypass attempts in security logs
Process creation from non-standard locations with SYSTEM privileges

Network Indicators:

Unusual outbound connections from systems after local privilege escalation

SIEM Query:

EventID=4688 AND (NewProcessName="*\cmd.exe" OR NewProcessName="*\powershell.exe") AND SubjectUserName="SYSTEM" AND ParentProcessName NOT IN ("*\services.exe", "*\wininit.exe", "*\csrss.exe")

📊 Metadata

CVE ID: CVE-2021-36975

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36975 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36975 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36975, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local code execution

Least privilege enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities