Attacker Value
Low
(2 users assessed)
Exploitability
Very Low
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
6

CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability

Disclosure Date: January 12, 2021
Exploited in the Wild
Reported by ccondon-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Validated
Privilege Escalation
Techniques
Validation
Validated

Description

CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft’s Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647

Add Assessment

2
Technical Analysis

Seeing more evidence of people trying to exploit this in the wild in recent days, with samples such as the ones listed at https://twitter.com/dnpushme/status/1350022293464907780 being detected as CVE-2021-1647 exploit files per VirusTotal analysis.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Microsoft System Center,
  • Microsoft Security Essentials,
  • Windows Defender on Windows 10 Version 1803 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 1803 for x64-based Systems,
  • Windows Defender on Windows 10 Version 1803 for ARM64-based Systems,
  • Windows Defender on Windows 10 Version 1809 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 1809 for x64-based Systems,
  • Windows Defender on Windows 10 Version 1809 for ARM64-based Systems,
  • Windows Defender on Windows Server 2019,
  • Windows Defender on Windows Server 2019 (Server Core installation),
  • Windows Defender on Windows 10 Version 1909 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 1909 for x64-based Systems,
  • Windows Defender on Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Defender on Windows Server, version 1909 (Server Core installation),
  • Windows Defender on Windows 10 Version 2004 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 2004 for ARM64-based Systems,
  • Windows Defender on Windows 10 Version 2004 for x64-based Systems,
  • Windows Defender on Windows Server, version 2004 (Server Core installation),
  • Windows Defender on Windows 10 Version 20H2 for x64-based Systems,
  • Windows Defender on Windows 10 Version 20H2 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Defender on Windows Server, version 20H2 (Server Core Installation),
  • Windows Defender on Windows 10 for 32-bit Systems,
  • Windows Defender on Windows 10 for x64-based Systems,
  • Windows Defender on Windows 10 Version 1607 for 32-bit Systems,
  • Windows Defender on Windows 10 Version 1607 for x64-based Systems,
  • Windows Defender on Windows Server 2016,
  • Windows Defender on Windows Server 2016 (Server Core installation),
  • Windows Defender on Windows 7 for 32-bit Systems,
  • Windows Defender on Windows 7 for x64-based Systems,
  • Windows Defender on Windows 8.1 for 32-bit systems,
  • Windows Defender on Windows 8.1 for x64-based systems,
  • Windows Defender on Windows RT 8.1,
  • Windows Defender on Windows Server 2008 for 32-bit Systems,
  • Windows Defender on Windows Server 2008 for 32-bit Systems (Server Core installation),
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems,
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems (Server Core installation),
  • Windows Defender on Windows Server 2012,
  • Windows Defender on Windows Server 2012 (Server Core installation),
  • Windows Defender on Windows Server 2012 R2,
  • Windows Defender on Windows Server 2012 R2 (Server Core installation)

Additional Info

Technical Analysis