CVE-2021-34484
Published: 12 August 2021
Summary
CVE-2021-34484 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability is an elevation of privilege flaw in the Windows User Profile Service, assigned CVE-2021-34484 with a CVSS 3.1 base score of 7.8. It affects the Windows component responsible for managing user profiles and was published on 2021-08-12.
An attacker with local access and low privileges can exploit the issue without user interaction to obtain full control over confidentiality, integrity, and availability on the affected system, enabling privilege escalation to higher levels such as SYSTEM.
Microsoft has published security guidance addressing the vulnerability through its advisory portal, and the flaw appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-21139
Vulnerability details
Windows User Profile Service Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 31 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly limits privileges so a low-privileged local attacker cannot escalate to SYSTEM via the User Profile Service flaw.
Enforces access-control decisions that block unauthorized elevation through the vulnerable profile-management code path.
Requires timely patching of the known-exploited User Profile Service vulnerability before local attackers can abuse it.