cbcvebase.
CVE-2021-41285
published 2021-10-04

CVE-2021-41285: Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a…

PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.52%
40.2th percentile
Ballistix MOD Utility through 2.0.2.5 is vulnerable to privilege escalation in the MODAPI.sys driver component. The vulnerability is triggered by sending a specific IOCTL request that allows low-privileged users to directly interact with physical memory via the MmMapIoSpace function call (mapping physical memory into a virtual address space). Attackers could exploit this issue to achieve local privilege escalation to NT AUTHORITY\SYSTEM.

Affected

1 ranges
VendorProductVersion rangeFixed in
micronballistix_memory_overview_display_utility<= 2.0.2.5

Detection & IOCsextracted from sources · hover to see the quote

filenamefoxitcrack.exe
filenameWinRing0.sys
domainankjdans[.]xyz
urlhxxps://github[.]com/cppdev-123
  • Alert on processes calling MmMapIoSpace via IOCTL to WinRing0.sys, as this is the mechanism used to map physical memory into virtual address space for privilege escalation.
  • Detect DNS-over-HTTPS (DoH) queries to Google Public DNS used to resolve the hardcoded C2 domain, bypassing traditional DNS monitoring.
  • Hunt for processes launching from or registering as the AppInfo service, as SteelFox abuses this service for persistence to require NT\SYSTEM to interact with the loader.
  • ·The C2 domain ankjdans[.]xyz uses dynamically rotating IP addresses, so IP-based blocking alone is insufficient; domain-level blocking or DoH inspection is required.
  • ·The WinRing0.sys driver is also a legitimate component of the XMRig miner, so its presence alone may generate false positives in mining-related environments; correlate with pipe name and IOCTL activity.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.