Security News > 2021 > October > All Windows versions impacted by new LPE zero-day vulnerability
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept exploit that gives SYSTEM privileges under certain conditions.
A public proof-of-concept exploit and technical details for an unpatched Windows zero-day privilege elevation vulnerability has been disclosed that allows users to gain SYSTEM privileges under certain conditions.
The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
August, Microsoft released a security update for a "Windows User Profile Service Elevation of Privilege Vulnerability" tracked as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri.
"Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction," Naceria explains in a technical writeup about the vulnerability and the new bypass.
Will Dormann, a vulnerability analyst for CERT/CC, tested the vulnerability and found that while it worked, it was temperamental and did not always create the elevated command prompt.
News URL
Related news
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-12 | CVE-2021-34484 | Unspecified vulnerability in Microsoft products Windows User Profile Service Elevation of Privilege Vulnerability | 0.0 |