CVE-2021-41379: Windows 10 Privilege Escalation Flaw

CVE-2021-41379 Overview

CVE-2021-41379 is a Windows Installer Elevation of Privilege Vulnerability that affects a wide range of Microsoft Windows operating systems, including both desktop and server editions. This vulnerability allows a local attacker with low privileges to escalate their permissions to SYSTEM level, gaining complete control over the affected system. The flaw exists in the Windows Installer service (msiexec.exe) and involves improper handling of symbolic links (symlinks).

Critical Impact
This vulnerability is actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Attackers with local access can leverage this flaw to achieve SYSTEM-level privileges, enabling complete system compromise including data theft, malware installation, and lateral movement.

Affected Products

Microsoft Windows 7 SP1
Microsoft Windows 8.1 and Windows RT 8.1
Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
Microsoft Windows 11 21H2
Microsoft Windows Server 2008 SP2, 2008 R2 SP1
Microsoft Windows Server 2012, 2012 R2
Microsoft Windows Server 2016, 2019, 2022
Microsoft Windows Server versions 2004 and 20H2

Discovery Timeline

November 10, 2021 - CVE-2021-41379 published to NVD
October 30, 2025 - Last updated in NVD database

Technical Details for CVE-2021-41379

Vulnerability Analysis

This vulnerability falls under CWE-59 (Improper Link Resolution Before File Access, or "Link Following"), commonly known as a symlink attack vulnerability. The Windows Installer service improperly handles symbolic links during certain file operations, allowing an attacker to redirect operations intended for one location to a different, sensitive location on the filesystem.

The vulnerability is particularly dangerous because it can be exploited by any authenticated user with local access to the system. No special privileges beyond standard user access are required to trigger the exploitation path. The attack does not require any user interaction, making it highly reliable for attackers who have already gained initial access to a target environment.

When successfully exploited, the attacker gains the ability to read, write, and execute with SYSTEM privileges—the highest privilege level on Windows systems. This complete compromise enables attackers to install persistent backdoors, disable security software, access protected credentials, and move laterally through the network.

Root Cause

The root cause of CVE-2021-41379 lies in how the Windows Installer service handles file operations when processing MSI packages. The service fails to properly validate and resolve symbolic links before performing privileged file operations. This allows an attacker to create a carefully crafted symlink that redirects the Installer's write operations to arbitrary locations with SYSTEM privileges.

The vulnerability specifically affects the rollback functionality of Windows Installer, where temporary files and registry entries are created during installation. By manipulating the junction points and symbolic links involved in this process, an attacker can cause the Installer service to overwrite or create files in protected system directories.

Attack Vector

The attack vector for CVE-2021-41379 is local, requiring the attacker to have authenticated access to the target system. The exploitation flow typically involves:

The attacker creates a malicious MSI package or leverages an existing installation process
During the installation or rollback phase, the attacker creates symbolic links that redirect file operations
The Windows Installer service, running with SYSTEM privileges, follows these symlinks without proper validation
File operations are performed in attacker-controlled locations with elevated privileges
The attacker achieves arbitrary file write or overwrite capabilities as SYSTEM

This vulnerability can be chained with other techniques to execute arbitrary code with SYSTEM privileges, such as overwriting critical system binaries or DLLs that are loaded by privileged services.

Detection Methods for CVE-2021-41379

Indicators of Compromise

Suspicious creation of junction points or symbolic links in user-writable directories pointing to system directories
Unusual msiexec.exe process behavior, including unexpected file operations in protected paths
Creation or modification of files in C:\Windows\System32\ or other protected directories by non-administrative users
Evidence of privilege escalation tools or post-exploitation frameworks that leverage this CVE

Detection Strategies

Monitor Windows Security Event Logs for Event ID 4688 (Process Creation) involving msiexec.exe with suspicious command-line parameters
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Use endpoint detection and response (EDR) solutions to identify symlink creation patterns followed by MSI installations
Alert on anomalous SYSTEM-level file operations that originate from user-initiated MSI installations

Monitoring Recommendations

Enable command-line auditing and PowerShell script block logging to capture detailed execution context
Configure Windows Defender Exploit Guard to monitor for common exploitation patterns
Implement Sysmon with rules targeting symbolic link creation (Event ID 11) and process access events
Review Windows Installer logs (%TEMP%\MSI*.LOG) for suspicious installation activities

How to Mitigate CVE-2021-41379

Immediate Actions Required

Apply the Microsoft security update immediately to all affected Windows systems
Prioritize patching for systems listed in the CISA KEV catalog compliance requirements
Conduct a security assessment to identify any systems that may have been compromised prior to patching
Implement application control policies to restrict execution of unauthorized MSI packages

Patch Information

Microsoft has released security updates addressing CVE-2021-41379 as part of their November 2021 Patch Tuesday release. Organizations should apply the appropriate cumulative update for their Windows version. Detailed patch information and download links are available in the Microsoft Security Advisory for CVE-2021-41379. Additional technical analysis is available in the Zero Day Initiative Advisory ZDI-21-1308.

Workarounds

Restrict local user access to systems where patching cannot be immediately applied
Use Windows Defender Application Control (WDAC) or AppLocker to restrict MSI package execution to trusted publishers
Implement the principle of least privilege to minimize the impact of potential exploitation
Consider temporarily disabling the Windows Installer service on critical systems where MSI installations are not required (note: this may impact software deployment operations)

bash

# Disable Windows Installer service temporarily (use with caution)
sc config msiserver start= disabled
sc stop msiserver

# Re-enable after patching
sc config msiserver start= demand

CVE-2021-41379 Overview

Critical Impact
This vulnerability is actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Attackers with local access can leverage this flaw to achieve SYSTEM-level privileges, enabling complete system compromise including data theft, malware installation, and lateral movement.

Affected Products

Microsoft Windows 7 SP1
Microsoft Windows 8.1 and Windows RT 8.1
Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
Microsoft Windows 11 21H2
Microsoft Windows Server 2008 SP2, 2008 R2 SP1
Microsoft Windows Server 2012, 2012 R2
Microsoft Windows Server 2016, 2019, 2022
Microsoft Windows Server versions 2004 and 20H2

Discovery Timeline

November 10, 2021 - CVE-2021-41379 published to NVD
October 30, 2025 - Last updated in NVD database

Technical Details for CVE-2021-41379

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for CVE-2021-41379 is local, requiring the attacker to have authenticated access to the target system. The exploitation flow typically involves:

The attacker creates a malicious MSI package or leverages an existing installation process
During the installation or rollback phase, the attacker creates symbolic links that redirect file operations
The Windows Installer service, running with SYSTEM privileges, follows these symlinks without proper validation
File operations are performed in attacker-controlled locations with elevated privileges
The attacker achieves arbitrary file write or overwrite capabilities as SYSTEM

This vulnerability can be chained with other techniques to execute arbitrary code with SYSTEM privileges, such as overwriting critical system binaries or DLLs that are loaded by privileged services.

Detection Methods for CVE-2021-41379

Indicators of Compromise

Suspicious creation of junction points or symbolic links in user-writable directories pointing to system directories
Unusual msiexec.exe process behavior, including unexpected file operations in protected paths
Creation or modification of files in C:\Windows\System32\ or other protected directories by non-administrative users
Evidence of privilege escalation tools or post-exploitation frameworks that leverage this CVE

Detection Strategies

Monitor Windows Security Event Logs for Event ID 4688 (Process Creation) involving msiexec.exe with suspicious command-line parameters
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Use endpoint detection and response (EDR) solutions to identify symlink creation patterns followed by MSI installations
Alert on anomalous SYSTEM-level file operations that originate from user-initiated MSI installations

Monitoring Recommendations

Enable command-line auditing and PowerShell script block logging to capture detailed execution context
Configure Windows Defender Exploit Guard to monitor for common exploitation patterns
Implement Sysmon with rules targeting symbolic link creation (Event ID 11) and process access events
Review Windows Installer logs (%TEMP%\MSI*.LOG) for suspicious installation activities

How to Mitigate CVE-2021-41379

Immediate Actions Required

Apply the Microsoft security update immediately to all affected Windows systems
Prioritize patching for systems listed in the CISA KEV catalog compliance requirements
Conduct a security assessment to identify any systems that may have been compromised prior to patching
Implement application control policies to restrict execution of unauthorized MSI packages

Patch Information

Workarounds

Restrict local user access to systems where patching cannot be immediately applied
Use Windows Defender Application Control (WDAC) or AppLocker to restrict MSI package execution to trusted publishers
Implement the principle of least privilege to minimize the impact of potential exploitation
Consider temporarily disabling the Windows Installer service on critical systems where MSI installations are not required (note: this may impact software deployment operations)

bash

# Disable Windows Installer service temporarily (use with caution)
sc config msiserver start= disabled
sc stop msiserver

# Re-enable after patching
sc config msiserver start= demand

CVE-2021-41379: Windows 10 Privilege Escalation Flaw

CVE-2021-41379 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-41379

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-41379

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-41379

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-41379: Windows 10 Privilege Escalation Flaw

CVE-2021-41379 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-41379

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-41379

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-41379

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform