High
CVE-2021-26411
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(2 users assessed)High
(2 users assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Internet Explorer Memory Corruption Vulnerability
Add Assessment
Technical Analysis
There is now public threat intelligence that the Purple Fox exploit kit has incorporated this vulnerability and is exploiting it.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityHigh
Technical Analysis
Update: This is now reported as having been exploited in the wild by North Korean APT actors along with CVE-2020-1380 as noted at https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
Reported as exploited in the wild at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411. Appears to be a memory corruption bug in Internet Explorer and Edge which would allow for a watering hole or drive by attack whereby a user is convinced to visit an attacker’s malicious website and then the attacker would be able to gain RCE on the user’s computer. Interestingly, despite this being a memory corruption bug, which is typically harder to exploit, Microsoft has still written up the exploitability of this vulnerability as Low.
There also appears to be an analysis of this vulnerability at https://enki.co.kr/blog/2021/02/04/ie_0day.html which suggests that this was the vulnerability used by the Laurus APT group to attack security researchers in Feburary. An English summary can be found at https://www.bleepingcomputer.com/news/security/hacking-group-also-used-an-ie-zero-day-against-security-researchers/ which suggests that this vulnerability was a double free vulnerability in IE which was triggered by sending a user a malicious MHT/MHTML file, and if the user allowed script execution, then CVE-2021-26411 would be exploited.
Given that Mitja Kolsek of 0Patch was able to replicate this issue relatively quickly, I’d say its likely that attackers will be able to exploit this vulnerability as well. I would expect to see more widespread exploitation of this vulnerability in the coming months.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- edge -,
- internet explorer 11,
- internet explorer 9
Exploited in the Wild
- News Article or Blog (https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/)
- Other: Google EITW Root Cause Analysis (https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: