CVE-2021-43893

7.5 HIGH

📋 TL;DR

This vulnerability in Windows Encrypting File System (EFS) allows authenticated attackers to upload arbitrary files to privileged locations via EFSRPC, potentially leading to privilege escalation. It affects Windows systems with EFS enabled. Attackers need local access to exploit this flaw.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires EFSRPC interface to be accessible; systems with EFS disabled may still be vulnerable if the service is running.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and persistent backdoors.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM/administrator, allowing execution of arbitrary code with highest privileges.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and endpoint protection blocking suspicious file writes.

🌐 Internet-Facing: LOW - Requires local authentication; not directly exploitable over internet without prior access.

🏢 Internal Only: HIGH - Significant risk in internal networks where attackers gain initial foothold through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local authenticated access; public exploit code available on Packet Storm and other security sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10 21H2, KB5009557 for Windows Server 2022, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43893

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates via Windows Update. 2. For enterprise: Deploy patches through WSUS or SCCM. 3. Verify installation via 'systeminfo' command showing appropriate KB installed.

🔧 Temporary Workarounds

Disable EFSRPC via Registry

windows

Prevents exploitation by disabling the vulnerable EFSRPC interface

reg add "HKLM\SYSTEM\CurrentControlSet\Services\EFS" /v "Start" /t REG_DWORD /d 4 /f

Restrict EFSRPC Access with Firewall

windows

Blocks network access to EFSRPC endpoints

netsh advfirewall firewall add rule name="Block EFSRPC" dir=in action=block protocol=TCP localport=445,139

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement
Enforce least privilege principles and monitor for suspicious file writes to system directories

🔍 How to Verify

Check if Vulnerable:

Check if January 2022 security updates are NOT installed via 'systeminfo | findstr /C:"KB5009543" /C:"KB5009557"' (returns empty if vulnerable)

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Confirm January 2022 updates are installed: 'systeminfo | findstr /C:"KB5009543" /C:"KB5009557"' should show installed KB numbers

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4663 (File system access) showing unauthorized writes to system directories
Sysmon Event ID 11 (FileCreate) for suspicious file creation in privileged locations

Network Indicators:

Unusual RPC calls to EFS endpoints (\pipe\efsrpc)
SMB traffic to system shares from non-admin accounts

SIEM Query:

source="windows" (event_id=4663 OR event_id=11) AND (target_object="*\\Windows\\*" OR target_object="*\\Program Files\\*") AND user NOT IN ("SYSTEM", "Administrators")

📊 Metadata

CVE ID: CVE-2021-43893

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-668

Published: December 15, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165560/Microsoft-Windows-EFSRPC-Arbitrary-File-Upload-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43893 Patch,Vendor Advisory
http://packetstormsecurity.com/files/165560/Microsoft-Windows-EFSRPC-Arbitrary-File-Upload-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43893 Patch,Vendor Advisory