Login Sign Up

CVE-2021-44595

8.8 HIGH

📋 TL;DR

CVE-2021-44595 is a privilege escalation vulnerability in Wondershare Dr. Fone where unprivileged users can send crafted packets to ElevationService.exe to execute arbitrary code with SYSTEM privileges. This affects all users running vulnerable versions of Dr. Fone on Windows systems.

💻 Affected Systems

Products:
  • Wondershare Dr. Fone
Versions: Up to and including version 12.0.7 (latest as of 2021-12-06)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The ElevationService.exe runs with SYSTEM privileges by design, making default installations vulnerable.

📦 What is this software?

Dr.fone by Wondershare

View all CVEs affecting Dr.fone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing persistent malware, accessing all user data, and controlling the entire system.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, or access protected system resources.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, though local attackers could still escalate privileges.

🌐 Internet-Facing: LOW (requires local access to the system)
🏢 Internal Only: HIGH (any local user or malware with user privileges can exploit this)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local user access but is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 12.0.7 (check vendor for specific fixed version)

Vendor Advisory: http://wondershare.com

Restart Required: Yes

Instructions:

1. Open Wondershare Dr. Fone. 2. Go to Help > Check for Updates. 3. Install the latest available update. 4. Restart the computer to ensure all services are updated.

🔧 Temporary Workarounds

Disable ElevationService.exe

windows

Stop and disable the vulnerable service to prevent exploitation

sc stop ElevationService
sc config ElevationService start= disabled

Remove Dr. Fone

windows

Uninstall the software if not required

appwiz.cpl (to open Programs and Features, then uninstall Dr. Fone)

🧯 If You Can't Patch

  • Restrict local user access to systems with Dr. Fone installed
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Dr. Fone version in Help > About. If version is 12.0.7 or earlier, the system is vulnerable.

Check Version:

wmic product where name="Dr. Fone" get version

Verify Fix Applied:

Verify Dr. Fone version is higher than 12.0.7 and ElevationService.exe is not running or has been updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from ElevationService.exe
  • Network connections to ElevationService.exe from non-standard processes

Network Indicators:

  • Localhost connections to ElevationService.exe port (if network enabled)
  • Unusual inter-process communication patterns

SIEM Query:

Process Creation where ParentImage contains "ElevationService.exe" AND NOT Image contains expected_processes

📊 Metadata

CVE ID: CVE-2021-44595
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: April 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44595, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)