Cyber Resilience

CVE-2021-1647

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 January 2021

Published
12 January 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7611 98.9th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1647 is a high-severity an unspecified weakness vulnerability in Microsoft System Center Endpoint Protection. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

Microsoft Defender contains a remote code execution vulnerability that affects the Microsoft Defender component on Windows systems. The flaw carries a CVSS 3.1 base score of 7.8 and is characterized by local attack vector, low attack complexity, low privileges required, and no user interaction, resulting in high impact to confidentiality, integrity, and availability.

An attacker with local access and limited privileges can exploit the vulnerability to execute arbitrary code, enabling full control over the affected system including reading sensitive data, modifying files, and disrupting operations.

Microsoft security advisories at the listed MSRC URLs describe available patches that address the issue, while the CISA Known Exploited Vulnerabilities catalog confirms active exploitation of CVE-2021-1647 in the wild.

EU & UK References

Vulnerability details

Microsoft Defender Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows defender
all versions
microsoft
security essentials
all versions
microsoft
system center endpoint protection
2012, all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches that Microsoft released to eliminate the RCE flaw in Defender.

prevent

Enforces least-privilege execution so that even a local attacker starts with minimal rights, reducing the chance of successful exploitation to full control.

detect

Enables continuous monitoring of Defender processes and anomalous local code-execution behavior that would indicate exploitation of CVE-2021-1647.

References