CVE-2021-36942
CVE-2021-36942 is a high-severity vulnerability in Microsoft Windows Server 2004 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 66% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-23518
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Windows Server 2004
- Published:
- Last modified:
Description
Windows LSA Spoofing Vulnerability
Windows LSA Spoofing Vulnerability (CVE-2021-36942)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-36942 is a Windows Local Security Authority (LSA) spoofing vulnerability affecting multiple Windows Server versions. The vulnerability is rated HIGH severity under CVSS v3.1 with a base score of 7.5, and MEDIUM under CVSS v2 with a score of 5.0. With an EPSS score of 0.66023 (99.18th percentile), the probability of active exploitation is exceptionally high. The vulnerability has been actively exploited in the wild since November 2021 and is listed in CISA's Known Exploited Vulnerabilities catalog.
Background
The Local Security Authority (LSA) is a critical Windows subsystem responsible for enforcing security policies and managing authentication. Spoofing vulnerabilities in LSA-related components can allow attackers to manipulate authentication processes between systems. This vulnerability class targets the trust relationships that Windows Servers rely upon for secure communication.
Root Cause
The root cause is an LSA spoofing condition where authentication requests are not properly validated. While the specific CWE identifier is not documented in available records, the underlying weakness relates to insufficient verification of authentication protocol integrity, allowing an unauthenticated remote attacker to interfere with LSA operations. The vulnerability can be exploited without authentication, user interaction, or local access.
Impact
Under CVSS v3.1, the vulnerability scores 7.5 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N:
- Attack Vector (AV): Network — exploitable remotely
- Attack Complexity (AC): Low — no special conditions required
- Privileges Required (PR): None — no valid credentials needed
- User Interaction (UI): None — no user action required
- Scope (S): Unchanged — impact limited to the vulnerable component
- Confidentiality (C): High — significant information disclosure
- Integrity (I): None
- Availability (A): None
The CVSS v2 vector AV:N/AC:L/Au:N/C:N/I:P/A:N reflects partial integrity impact under the older scoring model, while CVSS v3.1 emphasizes the confidentiality impact.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. No weaponized exploit code is included.
An attacker with network access to a vulnerable Windows Server can exploit this vulnerability through the following conceptual steps:
- Target Identification: Locate Windows Servers running affected versions that expose LSA interfaces.
- Spoofing Attempt: Send a crafted request to the LSA interface designed to trigger an unintended authentication or trust operation.
- Credential Exposure: The spoofed authentication attempt may expose credentials or authentication material to the attacker.
- Lateral Movement: Obtained credentials or authentication material may be used to access additional systems.
This attack chain requires no valid credentials, user interaction, or local access, making it particularly severe in enterprise environments.
Affected and Patched Versions
The following Windows Server versions are confirmed vulnerable:
- Windows Server 2004
- Windows Server 2008 (SP2)
- Windows Server 2008 R2 (SP1, x64)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 20H2
Microsoft released security updates to address this vulnerability. Organizations should apply the relevant patches through Microsoft Update or Windows Server Update Services (WSUS). End-of-life versions require migration planning or extended support agreements.
Remediation
- Apply Security Updates: Install the relevant Microsoft security updates for all affected Windows Server versions.
- Enable Authentication Protections: Configure Extended Protection for Authentication (EPA) where supported to reduce relay attack surface.
- Require SMB Signing: Enforce SMB signing to prevent tampering with authentication negotiations.
- Network Segmentation: Segment networks to restrict lateral movement and limit exposure of LSA interfaces.
- Disable Legacy Protocols: Transition away from legacy authentication protocols where possible.
- Account Tiering: Implement credential tiering to limit the impact of compromised credentials.
Detection
Security teams should monitor for:
- Unusual authentication events from unexpected source IPs
- SMB and RPC traffic patterns targeting LSA interfaces from non-administrative hosts
- NTLM authentication anomalies where Kerberos is expected
- Event log patterns indicating forced authentication attempts
Assessment
CVE-2021-36942 represents a critical risk to Windows Server environments due to its high EPSS score (0.66023), low exploitation complexity, and confirmed active exploitation since November 2021. The vulnerability is tracked in CISA's Known Exploited Vulnerabilities catalog and the European Union vulnerability database (EUVD-2021-23518).
Key lessons:
- Patch velocity matters: The short window between disclosure and active exploitation demonstrates the need for rapid patch deployment.
- Authentication boundaries require continuous hardening: Core authentication subsystems like LSA remain high-value targets and require ongoing defensive investment.
References
Frequently asked questions
- What is CVE-2021-36942?
- Windows LSA Spoofing Vulnerability
- How severe is CVE-2021-36942?
- CVE-2021-36942 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-36942 being actively exploited?
- Yes. CVE-2021-36942 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-36942?
- CVE-2021-36942 primarily affects Microsoft Windows Server 2004. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-36942?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-36942 have an EU (EUVD) identifier?
- Yes. CVE-2021-36942 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-23518. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-36942 published?
- CVE-2021-36942 was published on 2021-08-12 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942
- https://www.kb.cert.org/vuls/id/405600
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36942
Affected products (8)
- cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows Server 2004
- CVE-2021-31166 — Critical (CVSS 9.8): HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2021-40444 — High (CVSS 8.8): <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft…
- CVE-2021-33739 — High (CVSS 8.4): Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2021-43226 — High (CVSS 7.8): Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2021-41357 — High (CVSS 7.8): Win32k Elevation of Privilege Vulnerability
- CVE-2021-40450 — High (CVSS 7.8): Win32k Elevation of Privilege Vulnerability