CVE-2021-21551
published 2021-05-04CVE-2021-21551: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information…
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
57.47%
99.0th percentile
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | dbutil | <= 2.3 | — |
| dell | dbutil | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandDeviceIoControl(hDevice, EXPLOITABLE_RW_CONTROL_CODE, &privilege_present_params, sizeof(privilege_present_params), &privilege_present_params, sizeof(privilege_present_params), &bytesReturned, NULL)↗
- →Monitor for creation of the device object \Device\DBUtil_2_3 or symbolic link \\.\DBUtil_2_3, which indicates the vulnerable driver has been loaded and is accepting IOCTL requests from any process (SID S-1-1-0 / Everyone). ↗
- →Alert on any non-privileged process issuing DeviceIoControl calls to \Device\DBUtil_2_3 with IOCTL code 0x9B0C1EC8 (arbitrary kernel read/write via memmove) or 0x9B0C1EC4 (read primitive). ↗
- →Detect presence of dbutil_2_3.sys dropped in C:\Windows\Temp; this path is anomalous for a kernel driver and can be used as a BYOVD staging indicator. ↗
- →Monitor for a new service creation event (e.g., via Process Hacker or ETW) associated with dbutil_2_3.sys, which is how the driver is transiently loaded during Dell firmware update utilities. ↗
- →Detect exploitation attempts that overwrite _SEP_TOKEN_PRIVILEGES fields (Present/Enabled/EnabledByDefault at token+0x40/0x48/0x50) with 0xffffffffffffffff via the IOCTL write primitive. ↗
- →Watch for exploitation chains that invoke ntdll!NtQueryIntervalProfile after writing shellcode into the driver's .data section, as this is used to redirect kernel execution flow during privilege escalation. ↗
- →Flag use of KUSER_SHARED_DATA address 0xFFFFF78000000000 as a read anchor in kernel exploit chains targeting this driver, as it is used to establish the arbitrary read primitive. ↗
- ·The vulnerable driver (dbutil_2_3.sys version 2.3) accepts IOCTL requests from any process with no ACL restrictions (SID S-1-1-0 / Everyone), meaning exploitation requires only local authenticated (non-admin) access — no special privileges needed to open the device handle. ↗
- ·At time of publication the vulnerable driver's certificate had not been revoked, meaning it could still be used in BYOVD (Bring Your Own Vulnerable Driver) attacks even after patching. ↗
- ·No in-the-wild exploitation had been observed at time of disclosure; however, the driver has been present on hundreds of millions of Dell Windows devices since at least 2009. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pp2j-9hqv-7x55: Dell dbutil_2_3
ghsa_unreviewed·2022-05-24
CVE-2021-21551 [HIGH] CWE-782 GHSA-pp2j-9hqv-7x55: Dell dbutil_2_3
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
VulnCheck
Dell dbutil Driver Insufficient Access Control Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-21551 [HIGH] CWE-782 Dell dbutil Driver Insufficient Access Control Vulnerability
Dell dbutil Driver Insufficient Access Control Vulnerability
Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure.
Affected: Dell dbutil Driver
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.virusbulletin.com/uploads/pdf/conference/vb2022/VB2022-Kalnai-Havranek.pdf; https://www.welivesecurity.com/wp-content/uploads/2023/02/eset_threat_report_t32022.pdf; https://documents-dds-ny.un.org/doc/UNDOC/GEN/N23/037/94/PDF/N2303794.pdf; https://www.mandiant.com/resources/blog/lightshift-and-lightshow; https://securityintelligence.com/posts/defensive-cons
CISA
Dell dbutil Driver Insufficient Access Control Vulnerability
cisa·2022-03-31·CVSS 7.8
CVE-2021-21551 [HIGH] CWE-782 Dell dbutil Driver Insufficient Access Control Vulnerability
Vulnerability: Dell dbutil Driver Insufficient Access Control Vulnerability
Affected: Dell dbutil Driver
Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-21551
Remediation Due Date: 2022-04-21
No detection rules found.
Exploit-DB
DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
exploitdb·2021-05-21·CVSS 8.8
CVE-2021-21551 [HIGH] DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
---
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
# Date: 10/05/2021
# Exploit Author: Paolo Stagno aka VoidSec
# Version:
#include
#include
#include
#include
#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2
// define the buffer structure which will be sent to the vulnerable driver
typedef struct Exploit
{
uint64_t Field1; // "padding" can be anything
void* Field2; // where to write
uint64_t Field3; // must be 0
uint64_t Field4; // value to write
};
typedef struct outBuffer
{
uint64_t Field1;
uint64_t Field2;
uint64_
Metasploit
Dell DBUtil_2_3.sys IOCTL memmove
metasploit
Dell DBUtil_2_3.sys IOCTL memmove
Dell DBUtil_2_3.sys IOCTL memmove
The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker read and write kernel-mode memory.
Securelist
From Caribbean shores to your devices: analyzing Cuba ransomware
blogs_securelist·2023-09-11
From Caribbean shores to your devices: analyzing Cuba ransomware
Table of Contents
Introduction
Cuba ransomware gang
Victimology
Ransomware
Cuba extortion model
Arsenal
Profits
Investigation of a Cuba-related incident and analysis of the malware
Host: SRV_STORAGE
Bughatch
SRV_Service host
Veeamp
Avast Anti-Rootkit driver
Burntcigar
SRV_MAIL host (Exchange server)
SqlDbAdmin
Cobalt Strike
New malware
BYOVD (Bring Your Own Vulnerable Driver)
Conclusion
Appendix
Authors
Alexander Kirichenko
Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope th
Securelist
Analysis of Cuba ransomware gang activity and tooling
blogs_securelist·2023-09-11
Analysis of Cuba ransomware gang activity and tooling
Table of Contents
- Introduction
- Cuba ransomware gang
- Victimology
- Ransomware
- Cuba extortion model
- Arsenal
- Profits
- Investigation of a Cuba-related incident and analysis of the malware
- New malware
- BYOVD (Bring Your Own Vulnerable Driver)
- Conclusion
- Appendix
Authors
- Alexander Kirichenko
- Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.
## Cuba ransomware gang
Cuba data leak site
The group’s offe
Checkpoint
24th May – Threat Intelligence Report
blogs_checkpoint·2021-05-24
CVE-2021-21551 24th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th May, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has discovered multiple misconfiguration flaws in third party cloud services of Android applications, which have led to the exposure of sensitive personal data of more than 100 million Android users and developers. Many flaws were the result of improper configuration of real-time databases.
Check Point Harmo
Sentinelone
CVE-2021-21551- Millions Of Dell Computers At Risk - Multiple BIOS Driver Privilege Escalation Flaws
blogs_sentinelone·2021-05-14·CVSS 8.8
[HIGH] CVE-2021-21551- Millions Of Dell Computers At Risk - Multiple BIOS Driver Privilege Escalation Flaws
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws - SentinelLabs
blogs_sentinelone·2021-05-04·CVSS 8.8
CVE-2021-21551 [HIGH] CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws - SentinelLabs
## Executive Summary
- SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets.
- Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges.
- Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver.
- SentinelLabs findings were proactively reported to Dell on Dec 1, 2020 and are tracked as CVE-2021-21551, marked with CVSS Score 8.8.
- Dell has released a security update to its customers to address this vulnerability.
- At this time, SentinelOne has not discovered evidence of in-the-wild abuse.
## Introduction
Several months ago, I started investigating the security posture of the firmware update driver version
Sentinelone
CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
blogs_sentinelone·2021-05-04·CVSS 8.8
CVE-2021-21551 [HIGH] CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
## CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
## Executive Summary
SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets.
Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges.
Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver.
SentinelLabs findings were proactively reported to Dell on Dec 1, 2020 and are tracked as CVE-2021-21551, marked with CVSS Score 8.8.
Dell has released a security update to its customers to address this vulnerability.
At this time, SentinelOne has not discovered evidence of in-the-wild abuse.
## In
Crowdstrike
CVE-2021-21551: Learning Through Exploitation
blogs_crowdstrike·CVSS 8.8
CVE-2026-20929 [HIGH] CVE-2021-21551: Learning Through Exploitation
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/162604/Dell-DBUtil_2_3.sys-IOCTL-Memory-Read-Write.htmlhttp://packetstormsecurity.com/files/162739/DELL-dbutil_2_3.sys-2.3-Arbitrary-Write-Privilege-Escalation.htmlhttps://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerabilityhttp://packetstormsecurity.com/files/162604/Dell-DBUtil_2_3.sys-IOCTL-Memory-Read-Write.htmlhttp://packetstormsecurity.com/files/162739/DELL-dbutil_2_3.sys-2.3-Arbitrary-Write-Privilege-Escalation.htmlhttps://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21551
2021-05-04
Published
2022-03-31
Added to CISA KEV
Exploited in the wild