CVE-2021-36934 Overview
CVE-2021-36934, also known as HiveNightmare or SeriousSAM, is an elevation of privilege vulnerability in Microsoft Windows 10 that exists due to overly permissive Access Control Lists (ACLs) on multiple critical system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploits this vulnerability could extract password hashes and other sensitive security information, ultimately enabling them to execute arbitrary code with SYSTEM privileges.
The vulnerability allows attackers with low-privilege access to read sensitive system files that should be protected, including the SAM, SYSTEM, and SECURITY registry hives. By extracting these files from Volume Shadow Copies, attackers can retrieve password hashes and machine keys that can be used for pass-the-hash attacks or credential cracking.
Critical Impact
This vulnerability enables local privilege escalation to SYSTEM level, allowing attackers to install programs, modify or delete data, and create new accounts with full administrative rights. CISA has confirmed active exploitation in the wild.
Affected Products
- Microsoft Windows 10 1809
- Microsoft Windows 10 1909
- Microsoft Windows 10 2004
- Microsoft Windows 10 20H2
- Microsoft Windows 10 21H1
Discovery Timeline
- 2021-07-22 - CVE-2021-36934 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2021-36934
Vulnerability Analysis
This privilege escalation vulnerability stems from improper access control configurations on Windows system files. The root issue involves overly permissive ACLs that grant the BUILTIN\Users group read access to sensitive system hives. Under normal circumstances, only SYSTEM and Administrator accounts should have access to these critical security files.
When Windows creates Volume Shadow Copies (VSS) for backup purposes, it preserves the permissive ACLs on the SAM, SYSTEM, and SECURITY registry hives. This allows any authenticated user to access shadow copy versions of these files and extract highly sensitive credential data, including local account password hashes and the machine's DPAPI encryption keys.
The vulnerability requires local code execution on the target system, meaning an attacker must already have some level of access to the victim machine. However, the barrier to exploitation is low—any authenticated user can leverage this flaw to escalate privileges to SYSTEM level.
Root Cause
The fundamental cause of CVE-2021-36934 is an improper Access Control List (ACL) configuration on system registry hives. Specifically, the BUILTIN\Users group was inadvertently granted read permissions on the following critical files:
- C:\Windows\System32\config\SAM - Contains local account password hashes
- C:\Windows\System32\config\SYSTEM - Contains boot configuration and encryption keys
- C:\Windows\System32\config\SECURITY - Contains security policy and LSA secrets
While direct access to these files is blocked when Windows is running (due to file locking), the permissive ACLs are preserved in Volume Shadow Copies, making them accessible to low-privileged users through the VSS service.
Attack Vector
The attack leverages local access to the system through Volume Shadow Copy exploitation. An attacker follows this general workflow:
- Verify that Volume Shadow Copies exist on the target system
- Access the shadow copy versions of the SAM, SYSTEM, and SECURITY hives using the permissive ACLs
- Extract password hashes from the SAM database using the SYSTEM hive's bootkey
- Perform offline hash cracking or pass-the-hash attacks to gain SYSTEM-level access
The exploitation is straightforward and requires no special tools beyond standard Windows utilities and publicly available credential extraction tools. Multiple proof-of-concept exploits have been published, making this vulnerability particularly dangerous for unpatched systems.
Detection Methods for CVE-2021-36934
Indicators of Compromise
- Unexpected access to Volume Shadow Copy paths containing \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy
- Processes accessing SAM, SYSTEM, or SECURITY registry hive files outside of normal system operations
- Use of credential extraction tools such as secretsdump.py, mimikatz, or similar utilities
- Unusual process creation with SYSTEM privileges following low-privilege user activity
Detection Strategies
- Monitor file access events to Volume Shadow Copy locations, specifically targeting SAM, SYSTEM, and SECURITY hive access
- Implement behavioral detection rules for known HiveNightmare exploitation tools and techniques
- Audit icacls command execution checking permissions on C:\Windows\System32\config\SAM
- Deploy endpoint detection rules to identify shadow copy enumeration via vssadmin list shadows commands
Monitoring Recommendations
- Enable Windows Security Event logging for file access auditing on sensitive system directories
- Configure SIEM alerts for suspicious Volume Shadow Copy access patterns from non-administrative users
- Monitor for credential dumping indicators including unusual LSASS access or registry hive extraction
- Track privilege escalation patterns where standard user sessions spawn SYSTEM-level processes
How to Mitigate CVE-2021-36934
Immediate Actions Required
- Restrict access to %windir%\system32\config by running icacls %windir%\system32\config\*.* /inheritance:e
- Delete existing Volume Shadow Copies using vssadmin delete shadows /all /quiet
- Apply the Microsoft security update for your specific Windows 10 version
- Re-enable System Protection and create a new restore point after remediation
Patch Information
Microsoft has released security updates to address CVE-2021-36934. However, simply installing the patch does not fully mitigate the vulnerability. Administrators must also manually delete all existing Volume Shadow Copies that were created with the permissive ACLs.
Refer to the Microsoft Security Advisory CVE-2021-36934 for complete patch information and the official KB5005357 Delete Volume Shadow Copies guide for remediation steps.
Workarounds
- Restrict ACL permissions on the config folder using icacls %windir%\system32\config\*.* /inheritance:e to enforce inherited permissions
- Delete all Volume Shadow Copies with vssadmin delete shadows /all /quiet to remove compromised backups
- Temporarily disable System Protection if immediate patching is not possible
- After deletion, re-enable System Protection and create fresh restore points with correct ACLs
# Remediation steps for CVE-2021-36934
# Step 1: Restrict ACLs on sensitive system files
icacls %windir%\system32\config\*.* /inheritance:e
# Step 2: Delete all existing shadow copies
vssadmin delete shadows /all /quiet
# Step 3: Verify shadow copies are deleted
vssadmin list shadows
# Step 4: Re-enable System Protection and create new restore point after patching
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
