Login Sign Up

CVE-2021-40489

7.8 HIGH

📋 TL;DR

CVE-2021-40489 is an elevation of privilege vulnerability in the Windows Storage Spaces Controller. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations using Storage Spaces.

💻 Affected Systems

Products:
  • Windows Server
  • Windows 10
  • Windows 11
Versions: Windows Server 2019, Windows Server 2022, Windows 10 versions 1809 and later, Windows 11
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Systems using Storage Spaces technology are affected. This includes Windows Server with Storage Spaces Direct and Windows client systems with Storage Spaces configured.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to gain administrative control over the affected system.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are implemented, though local compromise remains possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to the system.
🏢 Internal Only: HIGH - Attackers with initial access to a system can escalate privileges to gain full control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to the system. Proof-of-concept code has been published by security researchers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40489

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates. 2. For Windows Server, install KB5005619 or later. 3. For Windows 10/11, install KB5006670 or later. 4. Restart the system after installation.

🔧 Temporary Workarounds

Disable Storage Spaces Service

windows

Temporarily disable the Storage Spaces service if not required

sc config spsvc start= disabled
sc stop spsvc

🧯 If You Can't Patch

  • Implement strict access controls and limit administrative privileges
  • Segment networks to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check if system is running affected Windows versions and has Storage Spaces enabled. Use: Get-WindowsFeature -Name Storage-Spaces

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify October 2021 security updates are installed: wmic qfe list | findstr "KB5005619 KB5006670"

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 with spsvc.exe spawning unexpected processes
  • Unusual Storage Spaces service activity

Network Indicators:

  • Unusual outbound connections from systems with Storage Spaces

SIEM Query:

EventID=4688 AND NewProcessName="*spsvc.exe*" AND ParentProcessName!="*services.exe*"

📊 Metadata

CVE ID: CVE-2021-40489
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: October 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40489, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)