CVE-2021-38625 – This Windows kernel vulnerability allows an aut... (How to Fix)

Q: What is the severity of CVE-2021-38625?

CVE-2021-38625 has a CVSS score of 7.8 (HIGH). This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges, potentially taking full control of affected systems. It affects Windows 10, Windows 11, and Windows Server 2022 systems. Attackers need local access to exploit this privilege escalation flaw.

📋 TL;DR

This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges, potentially taking full control of affected systems. It affects Windows 10, Windows 11, and Windows Server 2022 systems. Attackers need local access to exploit this privilege escalation flaw.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2022

Versions: Windows 10 versions 20H2, 21H1, 21H2; Windows 11; Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both client and server editions. Requires attacker to have local access and ability to run code on the target system.

📦 What is this software?

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attacker gains SYSTEM privileges, installs persistent malware, disables security controls, and accesses all data on the system.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, enabling installation of additional malware, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented, though local privilege escalation remains possible.

🌐 Internet-Facing: LOW - Requires local access; cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Any compromised user account on affected systems can exploit this to gain full system control, enabling lateral movement across the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access. Public proof-of-concept code exists, making exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670 for Windows 10 20H2, KB5006674 for Windows 10 21H1, KB5006675 for Windows 10 21H2, KB5006670 for Windows 11, KB5006672 for Windows Server 2022)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38625

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege by restricting standard users from running arbitrary code and limiting administrative access.

Enable Windows Defender Exploit Guard

windows

Configure exploit protection to mitigate kernel exploitation attempts.

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement from compromised systems
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and build number. Vulnerable builds include Windows 10 19042.1288, 19043.1288, 19044.1288; Windows 11 22000.194; Windows Server 2022 20348.230.

Check Version:

wmic os get caption, version, buildnumber, osarchitecture

Verify Fix Applied:

Verify system has October 2021 security updates installed by checking Windows Update history or running 'systeminfo' command.

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing suspicious kernel mode processes
Unexpected SYSTEM privilege escalation from user accounts
Windows Defender logs showing kernel exploit attempts

Network Indicators:

Unusual outbound connections from systems after local privilege escalation
Lateral movement attempts from previously compromised systems

SIEM Query:

EventID=4688 AND (NewProcessName LIKE "%\SystemRoot\System32\ntoskrnl.exe" OR NewProcessName LIKE "%\SystemRoot\System32\win32k.sys") AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")

📊 Metadata

CVE ID: CVE-2021-38625

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38625 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38625 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38625, you might also want to check these: