CVE-2021-41347 – This vulnerability allows a local attacker to e... (How to Fix)

Q: What is the severity of CVE-2021-41347?

CVE-2021-41347 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local attacker to elevate privileges on Windows systems by exploiting the AppX Deployment Service. It affects Windows 10, Windows 11, and Windows Server systems with the vulnerable service enabled.

📋 TL;DR

This vulnerability allows a local attacker to elevate privileges on Windows systems by exploiting the AppX Deployment Service. It affects Windows 10, Windows 11, and Windows Server systems with the vulnerable service enabled.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2019
Windows Server 2022

Versions: Windows 10 versions 1809 and later, Windows 11, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires AppX Deployment Service to be running, which is enabled by default on affected systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malicious software, or access restricted resources.

🟢

If Mitigated

Limited impact with proper patch management and least privilege principles in place, though local attackers could still gain some elevated access.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain elevated privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and user-level privileges. Proof-of-concept code has been publicly released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670 for Windows 10 21H1, KB5006674 for Windows 10 20H2, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41347

Restart Required: Yes

Instructions:

1. Apply the October 2021 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable AppX Deployment Service

windows

Disables the vulnerable service to prevent exploitation

sc config AppXSvc start= disabled
sc stop AppXSvc

🧯 If You Can't Patch

Implement strict least privilege principles to limit local user access
Monitor for suspicious AppX Deployment Service activity and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if October 2021 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5006670 (or equivalent for your version) is installed and AppX Deployment Service is not being exploited

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with AppXSvc.exe spawning processes with SYSTEM privileges
Unusual AppX Deployment Service activity

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName="*AppXSvc.exe*" AND SubjectUserName!="SYSTEM"

📊 Metadata

CVE ID: CVE-2021-41347

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: October 13, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41347 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1161/ Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41347 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1161/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41347, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable AppX Deployment Service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities