Security News > 2021 > May > Windows PoC Exploit Released for Wormable RCE

A researcher has released a proof-of-concept exploit for CVE-2021-31166, a use-after-free, highly critical vulnerability in the HTTP protocol stack that could lead to wormable remote code execution.
An exploit would allow RCE with kernel privileges or a denial-of-service attack.
This isn't the first PoC exploit for CVE-2021-31166 that Souchet has released, but this is the first wormable one.
The publishing of a PoC code like this is typically the first step in the lifecycle of an exploit.
One example is the eight-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cybercriminal forum for $20,000 in February 2020 that got written up by cybersecurity journalist Brian Krebs, was publicly disclosed and patched by Microsoft in March 2020, and wound up being exploited by a botnet a month later.
Microsoft exploits, after all, are by far the most-requested and the most-sold exploit flavors on the underground market: All the more reason to heed Microsoft's advice to prioritize patching for this one.
News URL
https://threatpost.com/windows-exploit-wormable-rce/166289/
Related news
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- ⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-11 | CVE-2021-31166 | Use After Free vulnerability in Microsoft products HTTP Protocol Stack Remote Code Execution Vulnerability | 0.0 |
2020-03-04 | CVE-2020-9054 | OS Command Injection vulnerability in Zyxel products Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. | 9.8 |