CVE-2021-36942

HIGH KEV RANSOMWARE

Windows Server LSA Spoofing (2004 < 10.0.19041.1165, 2019 < 10.0.17763.2114)

Title source: llm

Exploitation Summary

CVE-2021-36942 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including GILLES Lionel, Spencer McIntyre, topotam, including a Metasploit module auxiliary/scanner/dcerpc/petitpotam.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-36942 (PetitPotam) to coerce authentication attempts over SMB via MS-EFSRPC methods, forcing a target machine to authenticate to an attacker-controlled server. It supports multiple named pipes and RPC methods for triggering the vulnerability.

Description

Windows LSA Spoofing Vulnerability

Exploits (2)

metasploit WORKING POC

by GILLES Lionel, Spencer McIntyre · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/dcerpc/petitpotam.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-36942 (PetitPotam) to coerce authentication attempts over SMB via MS-EFSRPC methods, forcing a target machine to authenticate to an attacker-controlled server. It supports multiple named pipes and RPC methods for triggering the vulnerability.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (multiple versions)

Auth required

Prerequisites: SMB access to target · Valid credentials for authentication

MITRE ATT&CK

T1187 - Forced Authentication T1212 - Exploitation for Credential Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by topotam · remote

https://github.com/topotam/PetitPotam

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2021-36942, which exploits the PetitPotam vulnerability to coerce Windows domain controllers into authenticating via MS-EFSRPC functions. The code includes Python and C++ implementations for triggering authentication requests.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Active Directory Certificate Services (AD CS)

No auth needed

Prerequisites: Network access to a vulnerable Windows domain controller · Ability to send RPC requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://www.kb.cert.org/vuls/id/405600

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36942

Scores

CVSS v3 7.5

EPSS 0.9355

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-08-24

InTheWild.io 2021-08-23

ENISA EUVD EUVD-2021-23518

Ransomware Use Confirmed

Status published

Products (8)

microsoft/windows_server_2004 < 10.0.19041.1165

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

microsoft/windows_server_2016 < 10.0.14393.4583

microsoft/windows_server_2019 < 10.0.17763.2114

microsoft/windows_server_20h2 < 10.0.19042.1165

Published Aug 12, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026