⚠ Actively exploited
Added to CISA KEV on 2022-03-31. Federal agencies required to patch by 2022-04-21. Required action: Apply updates per vendor instructions..

CVE-2021-34484

CWE-269Improper Privilege Management7 documents7 sources
Severity
7.8HIGH
EPSS
2.8%
top 13.96%
CISA KEV
KEV
Added 2022-03-31
Due 2022-04-21
Exploit
Exploited in wild
Active exploitation observed
Affected products
34
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+31 more
Timeline
PublishedAug 12
KEV addedMar 31
KEV dueApr 21
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Windows User Profile Service Elevation of Privilege Vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages32 packages

CVEListV5microsoft/windows_7_service_pack_16.1.06.1.7601.25685
CVEListV5microsoft/windows_server_2008_service_pack_26.0.06.0.6003.21192
CVEListV5microsoft/windows_server_2008_r2_service_pack_16.1.06.1.7601.25685

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-mp6h-cxp8-82j6: Windows User Profile Service Elevation of Privilege Vulnerability2022-05-24
CVEList
Windows User Profile Service Elevation of Privilege Vulnerability2021-08-12
VulnCheck
Microsoft Windows User Profile Service Privilege Escalation Vulnerability2021

💥Exploits & PoCs

1
Metasploit
User Profile Arbitrary Junction Creation Local Privilege Elevation

📋Vendor Advisories

2
CISA
Microsoft Windows User Profile Service Privilege Escalation Vulnerability2022-03-31
Microsoft
Windows User Profile Service Elevation of Privilege Vulnerability2021-08-10
CVE-2021-34484 (HIGH CVSS 7.8) | Windows User Profile Service Elevat | cvebase.io