Cyber Resilience

CVE-2021-36934

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 July 2021

Published
22 July 2021
Modified
25 February 2026
KEV Added
10 February 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9042 99.6th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36934 is a high-severity an unspecified weakness vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2021-36934 is an elevation-of-privilege vulnerability in Windows caused by overly permissive Access Control Lists on multiple system files, including the Security Accounts Manager (SAM) database. Successful exploitation allows an attacker to run arbitrary code with SYSTEM-level privileges on the affected system.

An attacker must already be able to execute code on the victim machine. Once exploited, the attacker can install programs, view or modify data, delete files, and create new accounts with full administrative rights. The CVSS 3.1 base score is 7.8 with a local attack vector, low attack complexity, and low privileges required.

Microsoft’s advisory states that the security update alone does not fully remediate the issue; administrators must also manually delete all Volume Shadow Copies of the affected system files, including the SAM database, as described in KB5005357. Public exploit code released under the names HiveNightmare and SeriousSAM demonstrates the flaw using standard user privileges to read sensitive registry hives from shadow copies.

EU & UK References

Vulnerability details

<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An…

more

attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1809
≤ 10.0.17763.2114
microsoft
windows 10 1909
≤ 10.0.18363.1734
microsoft
windows 10 2004
≤ 10.0.19041.1165
microsoft
windows 10 20h2
≤ 10.0.19042.1165
microsoft
windows 10 21h1
≤ 10.0.19043.1165

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces proper ACLs on system files such as the SAM database, preventing unauthorized local reads from shadow copies.

prevent

Requires least-privilege file permissions so standard users cannot access sensitive registry hives in Volume Shadow Copies.

prevent

Mandates secure configuration settings that include hardened ACLs and removal of vulnerable shadow copies after patching.

References