Attacker Value
High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
4

CVE-2021-26411

Disclosure Date: March 11, 2021
CVE-2021-26411 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by gwillcox-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Internet Explorer Memory Corruption Vulnerability

Add Assessment

2
Technical Analysis

There is now public threat intelligence that the Purple Fox exploit kit has incorporated this vulnerability and is exploiting it.

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Common in enterpriseUnauthenticatedVulnerable in default configuration
Technical Analysis

Update: This is now reported as having been exploited in the wild by North Korean APT actors along with CVE-2020-1380 as noted at https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

Reported as exploited in the wild at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411. Appears to be a memory corruption bug in Internet Explorer and Edge which would allow for a watering hole or drive by attack whereby a user is convinced to visit an attacker’s malicious website and then the attacker would be able to gain RCE on the user’s computer. Interestingly, despite this being a memory corruption bug, which is typically harder to exploit, Microsoft has still written up the exploitability of this vulnerability as Low.

There also appears to be an analysis of this vulnerability at https://enki.co.kr/blog/2021/02/04/ie_0day.html which suggests that this was the vulnerability used by the Laurus APT group to attack security researchers in Feburary. An English summary can be found at https://www.bleepingcomputer.com/news/security/hacking-group-also-used-an-ie-zero-day-against-security-researchers/ which suggests that this vulnerability was a double free vulnerability in IE which was triggered by sending a user a malicious MHT/MHTML file, and if the user allowed script execution, then CVE-2021-26411 would be exploited.

Given that Mitja Kolsek of 0Patch was able to replicate this issue relatively quickly, I’d say its likely that attackers will be able to exploit this vulnerability as well. I would expect to see more widespread exploitation of this vulnerability in the coming months.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.3
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
High
Availability (A):
Low

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Internet Explorer 9 publication
Internet Explorer 11 publication
Microsoft Edge (EdgeHTML-based) publication
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • edge -,
  • internet explorer 11,
  • internet explorer 9

Exploited in the Wild

Reported by:
Technical Analysis