CVE-2021-42287
CVE-2021-42287 is a high-severity vulnerability in Microsoft Windows Server 2008 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-11).
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 6.5
- EPSS exploit prediction: 74% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-04-11)
- EU (EUVD) id: EUVD-2021-29262
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-04-11)
- Affected product: Microsoft Windows Server 2008
- Published:
- Last modified:
Description
Active Directory Domain Services Elevation of Privilege Vulnerability
Active Directory Domain Services Elevation of Privilege (CVE-2021-42287)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-42287 is an elevation of privilege vulnerability in Active Directory Domain Services. An authenticated attacker can exploit this flaw to escalate privileges within a Windows domain, potentially achieving full domain compromise.
Background
Active Directory Domain Services (AD DS) provides the directory services and authentication infrastructure for Windows domain networks. This vulnerability exists within the AD DS component responsible for processing security principal identity assertions, enabling an authenticated user to bypass normal authorization boundaries.
Root Cause
The specific Common Weakness Enumeration (CWE) identifier was not provided in the source data. The underlying flaw involves insufficient validation within Active Directory Domain Services, where an authenticated attacker can manipulate identity assertions to impersonate a higher-privilege principal. This security feature bypass allows the attacker to obtain elevated access rights within the domain.
Impact
The vulnerability is rated HIGH severity with a CVSS 3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low-level authenticated access can achieve high impact on confidentiality, integrity, and availability. The CVSS v2 base score is 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), with a network attack vector, low attack complexity, and single authentication required. The attack requires no user interaction.
Exploitation Walkthrough
Ethics Caveat: This section describes the attack concept at a high level for defensive awareness only. It does not provide weaponized exploit code or step-by-step instructions that could be used to compromise systems without authorization.
An attacker with valid domain credentials leverages a flaw in how Active Directory Domain Services validates security principal identities. By manipulating identity attributes within the domain, the attacker tricks the authentication system into granting elevated privileges. The attacker can then use these elevated privileges to access sensitive resources, modify domain configurations, or impersonate privileged accounts. Successful exploitation requires network access to the domain controller and valid low-privilege credentials.
Affected and Patched Versions
The vulnerability affects the following Windows Server versions according to the source data:
- Windows Server 2008 (SP2)
- Windows Server 2008 R2 (SP1, x64)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016 (2004)
- Windows Server 2019
- Windows Server 2022
Specific patched versions and corresponding KB article numbers were not provided in the source data. Administrators should consult the Microsoft Security Response Center advisory for the latest update information.
Remediation
- Apply Security Updates: Install the latest Microsoft security updates for affected Windows Server versions as detailed in the MSRC advisory.
- Implement Compensating Controls:
- Enforce the principle of least privilege for all domain accounts.
- Monitor for anomalous authentication requests and privilege escalation attempts.
- Rotate the KRBTGT account password if domain compromise is suspected.
- Restrict lateral movement by segmenting domain controllers and limiting access to privileged management networks.
- Credential Hygiene: Ensure service accounts and privileged accounts use strong, unique passwords and are protected by multi-factor authentication where possible.
Detection
Security teams should monitor Active Directory logs and network traffic for:
- Anomalous authentication requests or ticket-granting activity from low-privilege accounts.
- Unexpected privilege escalation events within the domain.
- Unusual account creation or modification patterns.
- Authentication attempts from non-standard workstations or source IP addresses.
Assessment
CVE-2021-42287 carries an EPSS score of 0.74265, placing it in the 99.43rd percentile, indicating a very high probability of exploitation in the wild. It was added to the CISA Known Exploited Vulnerabilities catalog on 2022-04-11 and is actively exploited. The combination of network accessibility, high impact, and confirmed active exploitation makes this a critical patching priority for all organizations running affected Windows Server versions.
Lessons:
- Central identity systems are high-value targets: A vulnerability in core directory services can have domain-wide consequences. Continuous monitoring of authentication and authorization events is essential.
- Exploitation likelihood demands urgency: With an EPSS above 0.74 and confirmed KEV status, this vulnerability should be patched immediately rather than deferred.
References
Frequently asked questions
- What is CVE-2021-42287?
- Active Directory Domain Services Elevation of Privilege Vulnerability
- How severe is CVE-2021-42287?
- CVE-2021-42287 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-42287 being actively exploited?
- Yes. CVE-2021-42287 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-42287?
- CVE-2021-42287 primarily affects Microsoft Windows Server 2008. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-42287?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-42287 have an EU (EUVD) identifier?
- Yes. CVE-2021-42287 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-29262. It is also flagged as exploited in the EUVD (since 2022-04-11).
- When was CVE-2021-42287 published?
- CVE-2021-42287 was published on 2021-11-10 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42287
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42287
Affected products (8)
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows Server 2008
- CVE-2020-1467 — Critical (CVSS 10.0): An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully…
- CVE-2020-1350 — Critical (CVSS 10.0): A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle…
- CVE-2015-0014 — Critical (CVSS 10.0): Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2…
- CVE-2014-6321 — Critical (CVSS 10.0): Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,…
- CVE-2013-3195 — Critical (CVSS 10.0): The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows…
- CVE-2013-3175 — Critical (CVSS 10.0): Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,…