CVE-2021-27085
Published: 11 March 2021
Summary
CVE-2021-27085 is a high-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2021-27085 is a remote code execution vulnerability affecting Internet Explorer. It received a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L and is tracked under NVD-CWE-noinfo.
An attacker can exploit the flaw over the network without authentication when a user interacts with specially crafted content, resulting in code execution that crosses security boundaries and produces limited confidentiality impact, high integrity impact, and limited availability impact.
Microsoft has published security guidance and updates addressing the issue through its MSRC advisory portal, while CISA has added CVE-2021-27085 to its catalog of known exploited vulnerabilities.
The vulnerability was publicly disclosed on 11 March 2021.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13856
Vulnerability details
Internet Explorer Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor security updates that Microsoft released to eliminate the remote code execution flaw in Internet Explorer.
Establishes usage restrictions and implementation guidance for mobile code (scripts, ActiveX, etc.) processed by Internet Explorer, limiting the attack surface exploited by crafted web content.
Enforces least functionality by disabling or restricting unnecessary browser components and features that enable the cross-boundary code execution described in the CVE.