Security News > 2021 > October > All Windows versions impacted by new LPE zero-day vulnerability

All Windows versions impacted by new LPE zero-day vulnerability
2021-10-28 21:34

A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept exploit that gives SYSTEM privileges under certain conditions.

A public proof-of-concept exploit and technical details for an unpatched Windows zero-day privilege elevation vulnerability has been disclosed that allows users to gain SYSTEM privileges under certain conditions.

The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

August, Microsoft released a security update for a "Windows User Profile Service Elevation of Privilege Vulnerability" tracked as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri.

"Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction," Naceria explains in a technical writeup about the vulnerability and the new bypass.

Will Dormann, a vulnerability analyst for CERT/CC, tested the vulnerability and found that while it worked, it was temperamental and did not always create the elevated command prompt.


News URL

https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-12 CVE-2021-34484 Unspecified vulnerability in Microsoft products
Windows User Profile Service Elevation of Privilege Vulnerability 		0.0
0.0