CVE-2021-4481 Overview
CVE-2021-4481 is a local privilege escalation vulnerability in Dräger Protector Software versions prior to 6.4.2. The flaw stems from insecure file system permissions on installed binaries and loaded modules. A local attacker with standard user access can replace executables or dependent modules used by the software. When the application or its associated service runs, the replaced code executes with NT SYSTEM privileges. The weakness is classified under [CWE-732] Incorrect Permission Assignment for Critical Resource.
Critical Impact
Local attackers can execute arbitrary code with NT SYSTEM privileges by replacing binaries or modules in the Dräger Protector Software installation directory.
Affected Products
- Dräger Protector Software versions prior to 6.4.2
- Windows host installations of the affected product
- Associated service binaries and loadable modules used by Protector Software
Discovery Timeline
- 2026-06-02 - CVE-2021-4481 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2021-4481
Vulnerability Analysis
The vulnerability exists because the Dräger Protector Software installation directory and the files within it are created with overly permissive access control entries. Standard, non-privileged users on the host can modify, replace, or overwrite executable files and dependent libraries used by the application. Because the software or its service runs in a privileged context, any attacker-supplied code placed on disk executes with NT SYSTEM rights at the next launch or service start. This converts a local user foothold into full administrative control of the host.
Root Cause
The root cause is improper permission assignment on critical resources [CWE-732]. During installation, the product sets Access Control Lists (ACLs) on its program files that grant write or modify access to unprivileged groups. Secure Windows software conventions require that files in privileged execution paths be writable only by Administrators, SYSTEM, and TrustedInstaller.
Attack Vector
Exploitation requires local access to the affected system as a standard user. The attacker enumerates writable files in the Protector Software directory, replaces a targeted binary or module with a malicious payload of the same name, and waits for the software or its service to execute the file. Some user interaction or a service restart may be required to trigger code execution. No network access, special privileges, or authentication credentials are needed beyond the local user account.
No verified public proof-of-concept code is available. Refer to the Draeger Security Vulnerability Report and the VulnCheck Advisory for Draeger Software for the authoritative technical description.
Detection Methods for CVE-2021-4481
Indicators of Compromise
- Unexpected modification timestamps on executables or DLLs within the Dräger Protector Software install directory
- Presence of unsigned or non-vendor binaries in the application folder
- Child processes spawned by Protector Software running under NT AUTHORITY\SYSTEM that perform shell, scripting, or network activity
- New scheduled tasks or services created shortly after Protector Software starts
Detection Strategies
- Audit ACLs on the Protector Software installation path and flag any entries granting write or modify access to Users, Authenticated Users, or Everyone
- Enable Windows file integrity monitoring on the install directory to capture unauthorized writes by non-administrative accounts
- Hunt for code-signing anomalies on binaries loaded by the Protector process tree
- Correlate process creation events where the parent is Protector Software and the child is a known living-off-the-land binary (LOLBin)
Monitoring Recommendations
- Enable Windows Security event ID 4663 (object access) on the Protector install path with audit SACLs
- Collect Sysmon Event ID 11 (FileCreate) and 7 (ImageLoad) for files within the application directory
- Forward telemetry to a centralized SIEM or data lake for retrospective hunting against known IOCs
How to Mitigate CVE-2021-4481
Immediate Actions Required
- Upgrade Dräger Protector Software to version 6.4.2 or later on all affected hosts
- Inventory all systems where Protector Software is installed and confirm the running version
- Restrict interactive logon on hosts running Protector Software to trusted administrative users until patched
- Verify file integrity of existing binaries before applying the update to detect prior tampering
Patch Information
Dräger has released Protector Software version 6.4.2, which corrects the file system permissions on installation directories and prevents non-privileged users from modifying executable content. Patch details are documented in the Draeger Security Vulnerability Report.
Workarounds
- Manually harden ACLs on the Protector Software install directory so only Administrators, SYSTEM, and TrustedInstaller have write or modify rights
- Remove inherited permissions that grant Users or Authenticated Users write access to program files
- Enforce application allowlisting (for example, Windows Defender Application Control or AppLocker) to block execution of unsigned or unexpected binaries from the install path
- Limit local user accounts on systems hosting Protector Software to reduce the population capable of exploiting the flaw
# Example: Harden ACLs on the Protector Software install directory (run as Administrator)
icacls "C:\Program Files\Draeger\Protector" /inheritance:r
icacls "C:\Program Files\Draeger\Protector" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "TrustedInstaller:(OI)(CI)F"
icacls "C:\Program Files\Draeger\Protector" /remove "Users" "Authenticated Users" "Everyone"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
