Published: 22/07/2021 Updated: 30/07/2021
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Microsoft Windows Elevation of Privilege Vulnerability known as HiveNightmare and SeriousSAM vulnerability. An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. This issue affects Windows 10 version 1809 and newer operating systems.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft windows 10 20h2

microsoft windows 10 21h1

microsoft windows 10 1809

microsoft windows 10 1909

microsoft windows 10 2004

Github Repositories

Invoke-HiveDreams A capability to identify and remediate CVE-2021-36934 (HiveNightmare)

HiveNightmare this is a quick and dirty exploit for HiveNightmare (or SeriousSam) - CVE-2021–36934 This allows non administrator users to read the SAM, SECURITY and SYSTEM hives from system restore points This is based on the original exploit of (Kevin Beaumont)[githubcom/GossiTheDog/HiveNightmare] To run this exploit just execute hiveexe This will save the la


ShadowSteal | CVE-2021-36934 Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM Local Privilege Escalation (LPE) Nothing fancy, basically just a wraper for PowerShell copy, but does save some time if you're triaging vulnerable hosts Not OPSEC safe yet ;) Summary Due to some oversight by Microsoft, regular users have read permissions over the conten

HiveNightmareChecker To check if system is vulnerable to HiveNightmare CVE-2021-36934

Overview This is a Datto RMM component to mitigate CVE-2021-36934, aka Serious SAM It follows the mitigation measures outlined at: msrcmicrosoftcom/update-guide/vulnerability/CVE-2021-36934 kbcertorg/vuls/id/506989 USE AT YOUR OWN RISK EXPECT THIS TO BREAK SOME BACKUPS TEMPORARILY Only basic error checking is in place Usage Just upload the component in

CVE-2021-36934 HiveNightmare aka SeriousSAM

HiveNightmare HiveNightmare/SeriousSAM(CVE_2021_36934) 原始项目:githubcom/cube0x0/CVE-2021-36934 做了以下修改: 增加了自定义文件复制路径 文件名随机字符(6个大写字符) 主要是对抗一些规则,例如:文件名检测等。

Beacon Object Files Name Syntax Silent Lsass Dump silentLsassDump < LSASS PID > CredPrompt credprompt [Text message] SeriousSam (CVE-2021-36934) BOFNET, check the readme

Hi there , my name is Noureldin A little more about me #!/usr/bin/python # -*- coding: utf-8 -*- class Pentester: def __init__(self): selfname = "Noureldin" selfrole = "Pentester" selflanguage_spoken = ["ar", "en_US", "de_DE", "tr_TR", "es_MX"] def say_hi(self):

PyNightmare PoC for CVE-2021-36934 Aka HiveNightmare/SeriousSAM fully written in python3 Explanation CVE-2021-36934 is a recently discovered vulnerability found by @jonasLyk allowing non-admin users to copy all registry hives which contain very private information like hashes which could lead to Privilege Escalation Inspiration Simple Poc for the HiveNightmare vulnerabilty insp

CVE-2021-36934 CVE-2021-36934 HiveNightmare vulnerability checker and workaround

GoHN - Go HiveNightmare Test and extraction tool for SeriousSam, CVE-2021-36934, HiveNightmare, or 2021's latest excitement What Is This Inspired by githubcom/GossiTheDog/HiveNightmare and built out for use to develop detections associated with this potential attack This version supports -test as well as -extract mode and will iterate through up to 64 snapshots

CVE-2021-36934 Usage Detection \Get-HiveNightmareStatusps1 Detection for management tools that need True/False output \Get-HiveNightmareStatusps1 -PostureCheck Remediation \Get-HiveNightmareStatusps1 -Remediate Exploitability Test \Get-HiveNightmareStat

Invoke-HiveNightmare PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer

SeriousSam HiveNightmare aka SeriousSam Local Privilege Escalation in Windows – CVE-2021-36934

CVE-2021-36934 CVE-2021-36934 PowerShell Fix This powershell script fixes CVE-2021-36934, based on the original script of Joran Slingerland (githubcom/JoranSlingerland) githubcom/JoranSlingerland/CVE-2021-36934/blob/main/CVE-2021-36934ps1

HiveNightmare CVE-2021–36934, Exploit allowing you to read any registry hives as non-admin

HiveNightmare aka SeriousSam, or now CVE-2021–36934 Exploit allowing you to read any registry hives as non-admin What is this? An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user For example, this includes hashes in SAM, which can be used to execute code as SYSTEM Authors Discovered by @jo

VSSCopy Small and dirty PoC for CVE-2021-36934 Usage: VSSCopyexe C:\temp Credits: twittercom/jonasLyk twittercom/gentilkiwi

CVE-2021-36934 CVE-2021-36934 PowerShell scripts Detectionps1 This is a quick and dirty script to see if a machine may be vulnerable It writes out a message to the shell indicating if BUILTIN\Users was detected in the permission list and includes the current permissions on the SAM path for validation SCCM-Detectionps1 This is a basic PowerShell script for use in SCCM co

HiveShadow This is an implementation of CVE-2021–36934 written in GO (1163) Original code: githubcom/GossiTheDog/HiveNightmare

CVE-2021-36934 C# implementation of CVE-2021-36934 also called HiveNightmare/SeriousSAM with built-in parser

PSHiveNightmare PSHiveNightmare CVE-2021–36934 Exploit allowing you to read any registry hives as non-admin What is this? An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user For example, this includes hashes in SAM, which can be used to execute code as SYSTEM Why PS this? The HiveNightmware w

Microsoft Wont-Fix-List A list of vulnerabilities or design flaws Microsoft does not intend to fix Since the number is growing, I decided to make a list LPE = Local Privilege Escalation DPE = Domain-wide Privilege Escalation RCE = Remote Code Execution Vulnerability CVE Attack Type It's NTLM again, right? How it works in a nutshell SpoolSample works as designed

Recent Articles

Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug
Threatpost • Tom Spring • 22 Jul 2021

A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems.
The bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers. A prerequisite for abuse of the bug is an adversary ne...

Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit
The Register • Richard Speed • 22 Jul 2021

Get our weekly newsletter It's the only way to be sure

After setting the "days since a security cock-up" counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934).
The solution? Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the problem, and then wipe any Volume Shadow Copy Service (VSS) shadow copies that were taken prior to the icacls fix.
It's hardly an ideal solution, since those shadow ...

Make-me-admin holes found in Windows, Linux kernel
The Register • Richard Speed • 21 Jul 2021

Get our weekly newsletter Patches available for priv-esc bug in the open-source software, at least

Move over, PrintNightmare. Microsoft has another privilege-escalation hole in Windows that can be potentially exploited by rogue users and malware to gain admin-level powers.
Meanwhile, a make-me-root hole was found in recent Linux kernels.
Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.
As a result of this blunder, non-administrative user...