4.6
CVSSv2

CVE-2021-41379

Published: 10/11/2021 Updated: 12/11/2021
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

This vulnerability allows local malicious users to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows Installer service. By creating a junction, an attacker can abuse the service to delete a file or directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft windows 10 -

microsoft windows 10 20h2

microsoft windows 10 21h1

microsoft windows 10 1607

microsoft windows 10 1809

microsoft windows 10 1909

microsoft windows 10 2004

microsoft windows 11 -

microsoft windows 7 -

microsoft windows 8.1 -

microsoft windows rt 8.1 -

microsoft windows server 2008 -

microsoft windows server 2008 r2

microsoft windows server 2012 -

microsoft windows server 2012 r2

microsoft windows server 2016 -

microsoft windows server 2016 20h2

microsoft windows server 2016 2004

microsoft windows server 2019 -

microsoft windows server 2022 -

Github Repositories

InstallerFileTakeOver For your notes, this works in every supporting windows installation Including Windows 11 and Server 2022 As some of you might notice, this also work in server installations While group policy by default doesn't allow standard users to do any msi operation The administrative install feature thing seems to be completely bypassing group policy This

InstallerFileTakeOver For your notes, this works in every supporting windows installation Including Windows 11 and Server 2022 with November 2021 patch As some of you might notice, this also work in server installations While group policy by default doesn't allow standard users to do any msi operation The administrative install feature thing seems to be completely byp

InstallerFileTakeOver For your notes, this works in every supporting windows installation Including Windows 11 and Server 2022 with November 2021 patch As some of you might notice, this also work in server installations While group policy by default doesn't allow standard users to do any msi operation The administrative install feature thing seems to be completely byp

InstallerFileTakeOver For your notes, this works in every supporting windows installation Including Windows 11 and Server 2022 with November 2021 patch As some of you might notice, this also work in server installations While group policy by default doesn't allow standard users to do any msi operation The administrative install feature thing seems to be completely byp

InstallerFileTakeOver For your notes, this works in every supporting windows installation Including Windows 11 and Server 2022 with November 2021 patch As some of you might notice, this also work in server installations While group policy by default doesn't allow standard users to do any msi operation The administrative install feature thing seems to be completely byp

Recent Articles

Attackers Actively Target Windows Installer Zero-Day
Threatpost • Elizabeth Montalbano • 24 Nov 2021

Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem.
Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege vulnerability tracked as CVE-2021-41379 that Microsoft patched a couple of weeks ago as part of its November Patch Tuesday updates.
However, after examining the fix, Nace...

Zero-day proof-of-concept exploit lands for Windows make-me-admin vulnerability
The Register • Richard Speed • 23 Nov 2021

Get our weekly newsletter InstallerFileTakeOver code pops up on GitHub

The day has a 'y' in it, so it must be time for another zero day to drop for a Microsoft product. In this case, a local privilege-elevation vulnerability to gain control of fully patched Windows 10, 11, and Server systems up to the 2022 build.
Dubbed InstallerFileTakeOver by its author Abdelhamid Naceri, the proof-of-concept code was dropped onto the Microsoft-owned GitHub and, based on our testing, does indeed seem to work. We were able to fire up a shell running with SYSTEM privileges fr...

New Windows zero-day with public exploit lets you become an admin
BleepingComputer • Lawrence Abrams • 22 Nov 2021

A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level 'Standard' privileges.
Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help sp...