CVE-2021-36276
published 2021-08-09CVE-2021-36276: Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of…
PriorityP273high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.27%
18.4th percentile
Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | dbutil | — | — |
| dell | dbutildrv2.sys_firmware | — | — |
| dell | dbutildrv2.sys_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for installation events of the Dell DBUtilDrv2.sys driver (CVE-2021-36276) via Device Manager / INF file, as TCESB installs it using the BYOVD technique to modify kernel callback structures. ↗
- →Detect loading of version.dll from non-system directories (e.g., temp or current working directory) within the ecls.exe (ESET Command-line scanner) process, indicative of DLL-proxying / T1574. ↗
- →Alert on outbound GET requests to msdl.microsoft.com for PDB symbol downloads from non-developer/non-debugging hosts, as TCESB fetches ntoskrnl PDB files to resolve kernel structure offsets. ↗
- →Monitor for extensionless payload files named 'kesp' or 'ecore' appearing in the current working directory of a suspicious process, as TCESB polls every two seconds for these AES-128 encrypted payload files. ↗
- ·DBUtilDrv2.sys versions 2.5 and 2.6 are the vulnerable versions exploited; version scoping is important to avoid false positives on patched/updated driver versions. ↗
- ·CVE-2021-36276 exploitation requires local authenticated user access; remote exploitation is not possible, so detections should be scoped to local privilege escalation scenarios. ↗
- ·TCESB falls back to downloading PDB files from Microsoft's symbol server only when its embedded CSV (matching EDRSandBlast as of August 13, 2022) does not contain offsets for the running kernel version; network detections on msdl.microsoft.com may not fire on all targets. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6hw8-gq2c-479x: Dell DBUtilDrv2
ghsa_unreviewed·2022-05-24
CVE-2021-36276 [HIGH] CWE-552 GHSA-6hw8-gq2c-479x: Dell DBUtilDrv2
Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
VulnCheck
dell dbutildrv2.sys_firmware Improper Authorization
vulncheck·2021·CVSS 8.8
CVE-2021-36276 [HIGH] dell dbutildrv2.sys_firmware Improper Authorization
dell dbutildrv2.sys_firmware Improper Authorization
Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Affected: dell dbutildrv2.sys_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/; https://www.picussecurity.com/resource/blog/dissecting-toddycat-cyber-espionage-and-mitre-ttps
No detection rules found.
No public exploits indexed.
Securelist
How ToddyCat tried to hide behind AV software
blogs_securelist·2025-04-07·CVSS 8.4
CVE-2024-11859 [HIGH] How ToddyCat tried to hide behind AV software
Table of Contents
Detection
Loading the tool
DLL proxying
CVE-2024-11859 vulnerability in ESET Command line scanner
Basic functionality
Searching for addresses in the kernel memory
Vulnerable driver
Launching the payload
Takeaways
Indicators of compromise
Malicious Files Hashes
Legitimate file for DLL proxying
Legitimate files for BYOVD
Authors
Andrey Gunkin
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drive
Securelist
APT group ToddyCat exploits a vulnerability in ESET for DLL proxying
blogs_securelist·2025-04-07
APT group ToddyCat exploits a vulnerability in ESET for DLL proxying
Table of Contents
- Detection
- Loading the tool
- Basic functionality
- Takeaways
- Indicators of compromise
Authors
- Andrey Gunkin
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if digitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of t
https://www.dell.com/support/kbdoc/en-us/000190105/dsa-2021-152-dell-client-platform-security-update-for-an-insufficient-access-control-vulnerability-in-the-dell-dbutildrv2-sys-driverhttps://www.dell.com/support/kbdoc/en-us/000190105/dsa-2021-152-dell-client-platform-security-update-for-an-insufficient-access-control-vulnerability-in-the-dell-dbutildrv2-sys-driver
2021-08-09
Published
Exploited in the wild