CVE-2021-40449: Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

CVE-2021-40449 [HIGH] CWE-416 Microsoft Windows Win32k Privilege Escalation Vulnerability Vulnerability: Microsoft Windows Win32k Privilege Escalation Vulnerability Affected: Microsoft Windows Unspecified vulnerability allows for an authenticated user to escalate privileges. Required Action: Apply updates per vendor instructions. Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-40449 Remediation Due Date: 2021-12-01

CVE-2021-40449 [HIGH] Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Windows Win32K: Windows Win32K Microsoft: Microsoft Impact: Elevation of Privilege Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;Older Software Release:Exploitation Detected;DOS:N/A Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5006672 Reference: https://support.microsoft.com/help/5006672 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5006667 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5006670 Reference: https://support.microsoft.com/help/5006670 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5006699 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5006674 Re

CVE-2021-41357 [HIGH] CWE-269 GHSA-pph6-grp2-wvvw: Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40449, CVE-2021-40450 Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40449, CVE-2021-40450.

CVE-2021-40449 [HIGH] CWE-269 GHSA-qjf4-g2gg-w6pq: Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40450, CVE-2021-41357 Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40450, CVE-2021-41357.

CVE-2021-40450 [HIGH] CWE-269 GHSA-v7qc-rhmv-f6j4: Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40449, CVE-2021-41357 Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40449, CVE-2021-41357.

CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero A Year in Review of 0-days Used In-the-Wild in 2021 Posted by Maddie Stone, Google Project Zero This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository. We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for

CVE-2021-40449 [HIGH] Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability Win32k Elevation of Privilege Vulnerability

CVE-2021-40449 [HIGH] CWE-416 Microsoft Windows Win32k Privilege Escalation Vulnerability Microsoft Windows Win32k Privilege Escalation Vulnerability Unspecified vulnerability allows for an authenticated user to escalate privileges. Affected: Microsoft Windows Required Action: Apply updates per vendor instructions. Known Ransomware Campaign Use: Known Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2021-Oct; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40449; https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/; https://threatpost.com/microsoft-patch-tuesday-bug-exploited-mysterysnail-espionage-campaign/175431/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable

Win32k NtGdiResetDC Use After Free Local Privilege Elevation Win32k NtGdiResetDC Use After Free Local Privilege Elevation A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the atta

Chinese hackers target Russian govt with upgraded RAT malware ## Chinese hackers target Russian govt with upgraded RAT malware ## Sergiu Gatlan Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document, which downloaded second-stage payloads and gained persistence on compromised systems. One of the malicious payloads is an unknown intermediary backdoor that helps transfer files between the command and control servers and hacked devices, run command shells, create new processes, delete files, and more. "I

[HIGH] IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia Table of Contents Infection through a malicious MMC script Intermediary backdoor New version of MysterySnail RAT MysteryMonoSnail – a repurposed version of MysterySnail RAT Obsolete malware families may reappear at any time Authors GReAT Day after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in its own way, and as a result gets its own destiny – while the use of some malware families is reported for decades, information about others disappears after days, months or several years. We observed the latter situation with an implant that we dubbed MysterySnail RAT. We discovered it back in 2021, when we were investigating the CVE-2021-40449 zero-day vulnerability . At that time, we identified this backdoor as related to the IronH

[HIGH] New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor Table of Contents - Infection through a malicious MMC script - Intermediary backdoor - New version of MysterySnail RAT - MysteryMonoSnail – a repurposed version of MysterySnail RAT - Obsolete malware families may reappear at any time Authors - GReAT Day after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in its own way, and as a result gets its own destiny – while the use of some malware families is reported for decades, information about others disappears after days, months or several years. We observed the latter situation with an implant that we dubbed MysterySnail RAT. We discovered it back in 2021, when we were investigating the CVE-2021-40449 zero-day vulnerability. At that time, we identified this backdoor as related to t

Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

[HIGH] Updated MATA attacks industrial companies in Eastern Europe Table of Contents The infection chain Incident investigation Interesting findings Authors GReAT Kaspersky ICS CERT In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry. The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents v

CVE-2021-26411 [HIGH] MATA malware framework exploits EDR in attacks on defense firms ## MATA malware framework exploits EDR in attacks on defense firms ## Bill Toulas An updated version of the MATA backdoor framework was spotted in attacks between August 2022 and May 2023, targeting oil and gas firms and the defense industry in Eastern Europe. The attacks employed spear-phishing emails to trick targets into downloading malicious executables that exploit CVE-2021-26411 in Internet Explorer to initiate the infection chain. The updated MATA framework combines a loader, a main trojan, and an infostealer to backdoor and gain persistence in targeted networks. The MATA version in these attacks is similar to previous versions linked to the North Korean Lazarus hacking group but with updated capabilities. Notably, spreading malware across all reachable corners of the corporat

[HIGH] Updated MATA attacks industrial companies in Eastern Europe Table of Contents - The infection chain - Incident investigation - Interesting findings Authors - GReAT - Kaspersky ICS CERT In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry. The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious doc

[HIGH] Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336) ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys #### Table of Contents - Situation - Directive Scope - CISA Catalog of Known Exploited Vulnerabilities - Detect CISA Vulnerabilities Using Qualys VMDR - CISA Exploited RTI - Detailed Operational Dashboard - Remediation - Federal Enterprises and Agencies Can Act Now - Summary - Getting Started CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively. ## Situation Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv

APT annual review 2021 Table of Contents Private sector vendors play a significant role in the threat landscape Supply-chain attacks Exploiting vulnerabilities Firmware vulnerabilities Authors GReAT In the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews here , here and here . For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it’s important to note that no single vendor has complete visibility into the activities of all threat actors. ## Private sector vendors play a significant role in the threat landscape Possibly the bigges

APT annual review 2021 Table of Contents - Private sector vendors play a significant role in the threat landscape - Supply-chain attacks - Exploiting vulnerabilities - Firmware vulnerabilities Authors - GReAT In the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews here, here and here. For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it’s important to note that no single vendor has complete visibility into the activities of all threat actors. ## Private sector vendors play a significant role in the threat landscape Possibly the

CVE-2021-40449 18th October – Threat Intelligence Report Latest Publications CPR Podcast Channel AI Research Web 3.0 Security Intelligence Reports ThreatCloud AI Threat Intelligence & Research Zero Day Protection Sandblast File Analysis About Us SUBSCRIBE 2026 2025 2024 2023 2022 2021 2020 2019 2018 2017 2016 ## 18th October – Threat Intelligence Report For the latest discoveries in cyber research for the week of 18th October, please download our Threat Intelligence Bulletin . Top Attacks and Breaches Israeli Medical Center Hillel Yaffe has been targeted by ransomware affecting the hospital’s computer systems, which have been working in a limited capacity since the attack occurred. Russia-based group TA505 is running a new email phishing campaign dubbed MirrorBlast, targeting financial organizations with malicious mac

CVE-2021-40449 [CRITICAL] Microsoft & Adobe Patch Tuesday (October 2021) – Microsoft 74 Vulnerabilities with 3 Critical, 4 Zero-Days. Adobe 10 Vulnerabilities ## Microsoft Patch Tuesday – October 2021 Microsoft patched 74 vulnerabilities in their October 2021 Patch Tuesday release, of which three are rated as critical severity and four were previously reported as zero-days. ## Critical Microsoft Vulnerabilities Patched CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability This was a zero-day, and one of the four addressed by Microsoft this month. This vulnerability impacts the Win32K kernel driver. This is being actively exploited by IronHusky and Chinese APT groups. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability and it should be prioritized for patching. CVE-2021- 40486 – Microsoft Word Remote Code Execution Vulnerability This vulnerability is due to improper input validation in Microsoft Word. Adversaries

[HIGH] Patch Tuesday, October 2021 Edition Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked. Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of

CVE-2021-40449 [CRITICAL] Microsoft & Adobe Patch Tuesday (October 2021) – Microsoft 74 Vulnerabilities with 3 Critical, 4 Zero-Days. Adobe 10 Vulnerabilities | Qualys ### Microsoft Patch Tuesday – October 2021 Microsoft patched 74 vulnerabilities in their October 2021 Patch Tuesday release, of which three are rated as critical severity and four were previously reported as zero-days. ### Critical Microsoft Vulnerabilities Patched CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability This was a zero-day, and one of the four addressed by Microsoft this month. This vulnerability impacts the Win32K kernel driver. This is being actively exploited by IronHusky and Chinese APT groups. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability and it should be prioritized for patching. CVE-2021- 40486 – Microsoft Word Remote Code Execution Vulnerability This vulnerability is due to improper input validation in Microsoft Word. Adversarie

[HIGH] October Patch Tuesday: 3 Critical Bulletins Among 71 Exploits & Vulnerabilities # October Patch Tuesday: 3 Critical Bulletins Among 71 The October Patch Tuesday maintains the relatively peaceful streak from previous months with only 3 bulletins rated as Critical among 71 new vulnerabilities. By: Trend Micro 2021/10/13 Read time: ( words) Save to Folio The October 2021 Patch Tuesday continues the quiet streak observed for the months of August and September. Out of 71 bulletins, only three were rated Critical this month. The list also included a fix for four publicly known vulnerabilities. Of the fixed vulnerabilities, 11 were disclosed via the Zero Day Initiative. Three Critical patches and other notable vulnerabilities Only three patches were rated Critical this month. Two of them were remote code execution (RCE) vulnerabilities (CVE

[HIGH] Microsoft’s October 2021 Patch Tuesday Addresses 74 CVEs (CVE-2021-40449) ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

[HIGH] Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities ## Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities By Jon Munshaw, with contributions from Asheer Malhotra. Microsoft released its monthly security update Tuesday, disclosing 78 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible

CVE-2016-3309 [HIGH] MysterySnail attacks with Windows zero-day Table of Contents - Executive Summary - Elevation of privilege exploit - MysterySnail RAT - IoCs Authors - Boris Larin - Costin Raiu ## Executive Summary In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as no

[HIGH] Patch Tuesday, October 2021 Edition Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked. Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of

CVE-2021-40461 [HIGH] Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities By Jon Munshaw, with contributions from Asheer Malhotra. Microsoft released its monthly security update Tuesday, disclosing 78 vulnerabilities in the company’s various software, hardware and firmware offerings. This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. The other critical

CVE-2016-3309 [HIGH] MysterySnail attacks with Windows zero-day Table of Contents Executive Summary Elevation of privilege exploit MysterySnail RAT IoCs Authors Boris Larin Costin Raiu ## Executive Summary In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309 , but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypass

CVE-2026-20929 [HIGH] October 2021 Patch Tuesday: Updates and Analysis How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand AT

[HIGH] Zscaler found Microsoft Windows vulnerabilities | 10-12-2021 Provide users with seamless, secure, reliable access to applications and data. Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems. Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners. Industry Report Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE) USE CASES INDUSTRY & MARKET SOLUTIONS PARTNERS TECHNOLOGY PARTNERS Resource Center Events & Trainings Security Research & Services Tools Community & Support CXO REVOLUTIONARIES Amplifying the voices of real-world digital and zero trust pioneers Discover how it began and where it’s going Meet o