Login Sign Up

CVE-2021-40478

7.8 HIGH

📋 TL;DR

CVE-2021-40478 is an elevation of privilege vulnerability in the Windows Storage Spaces Controller. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations using Storage Spaces.

💻 Affected Systems

Products:
  • Windows 10
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
Versions: Multiple versions prior to October 2021 updates
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Storage Spaces feature to be enabled/used, but many systems have it by default.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the system, data theft, lateral movement, and persistence.

🟠

Likely Case

Privilege escalation from authenticated user to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though local compromise risk remains.

🌐 Internet-Facing: LOW (requires authenticated access and local execution)
🏢 Internal Only: HIGH (authenticated users can exploit locally for privilege escalation)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated user access; proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (e.g., KB5006670 for Windows 10 21H1)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40478

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates via Windows Update. 2. For manual installation, download the appropriate KB from Microsoft Update Catalog. 3. Restart the system after installation.

🔧 Temporary Workarounds

Disable Storage Spaces Service

windows

Temporarily disable the Storage Spaces service to prevent exploitation.

sc config spsvc start= disabled
sc stop spsvc

🧯 If You Can't Patch

  • Restrict user access to systems with Storage Spaces enabled using least privilege principles.
  • Implement network segmentation to isolate vulnerable systems and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if October 2021 security updates are installed via 'systeminfo' or Windows Update history.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify the patch is installed by checking for KB5006670 or similar October 2021 updates in installed updates list.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 for spsvc.exe execution with unusual parameters
  • Security log entries for privilege escalation attempts

Network Indicators:

  • Unusual outbound connections from systems with Storage Spaces enabled

SIEM Query:

EventID=4688 AND ProcessName="spsvc.exe" AND CommandLine CONTAINS "suspicious"

📊 Metadata

CVE ID: CVE-2021-40478
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: October 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40478, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)