CVE-2021-41379

MEDIUM KEV RANSOMWARE

Windows Installer - Elevation of Privilege via Improper Link Resolution

Title source: llm

Exploitation Summary

CVE-2021-41379 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including jbaines-r7.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-41379, demonstrating arbitrary file creation via a race condition in the Windows Installer. The exploit leverages oplocks and directory junctions to manipulate file operations during MSI installation.

Description

Windows Installer Elevation of Privilege Vulnerability

Exploits (1)

patchapalooza WORKING POC

by jbaines-r7 · local

https://github.com/jbaines-r7/shakeitoff

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2021-41379, demonstrating arbitrary file creation via a race condition in the Windows Installer. The exploit leverages oplocks and directory junctions to manipulate file operations during MSI installation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows Installer

Auth required

Prerequisites: Administrative privileges · Empty directory for installation · Specific MSI file

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41379

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-21-1308/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41379

Scores

CVSS v3 5.5

EPSS 0.0102

EPSS Percentile 77.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2021-11-30

InTheWild.io 2021-11-29

ENISA EUVD EUVD-2021-28407

Ransomware Use Confirmed

CWE

CWE-59

Status published

Products (20)

microsoft/windows_10_1507 < 10.0.10240.19119

microsoft/windows_10_1607 < 10.0.14393.4770

microsoft/windows_10_1809 < 10.0.17763.2300

microsoft/windows_10_1909 < 10.0.18363.1916

microsoft/windows_10_2004 < 10.0.19041.1348

microsoft/windows_10_20h2 < 10.0.19042.1348

microsoft/windows_10_21h1 < 10.0.19043.1348

microsoft/windows_11_21h2 < 10.0.22000.318

microsoft/windows_7

microsoft/windows_8.1

... and 10 more

Published Nov 10, 2021

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026