Security News > 2022 > March > Windows zero-day flaw giving admin rights gets unofficial patch, again
A Windows local privilege escalation zero-day vulnerability that Microsoft has failed to fully address for several months now, allows users to gain administrative privileges in Windows 10, Windows 11, and Windows Server.
According to the 0patch team, which has been unofficially providing fixes for discontinued Windows versions and some vulnerabilities that Microsoft won't address, the flaw is still a zero-day.
The Windows User Profile Service Elevation of Privilege Vulnerability, tracked as CVE-2021-34484, was discovered by security researcher Abdelhamid Naceri and disclosed to Microsoft, who fixed it as part of the August 2021 Patch Tuesday.
Soon after the fix was released, Naceri noticed that Microsoft's patch was incomplete and presented a proof of concept that bypassed it on all Windows versions.
Microsoft's second fixing attempt replaced the "Profext.dll" file, leading to the removal of the unofficial fix from everyone who had applied the January 2022 Windows updates.
It should be noted that Windows 10 1803, Windows 10 1809, and Windows 10 2004 are still protected by 0patch's original patch, as those devices have reached the end of support and did not receive the Microsoft update that replaced the DLL. How to install the micro-patch.
News URL
Related news
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-12 | CVE-2021-34484 | Unspecified vulnerability in Microsoft products Windows User Profile Service Elevation of Privilege Vulnerability | 0.0 |