CVE-2021-42287

CVE-2021-42287 is a high-severity vulnerability in Microsoft Windows Server 2008 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-11).

Key facts

Description

Active Directory Domain Services Elevation of Privilege Vulnerability

Active Directory Domain Services Elevation of Privilege (CVE-2021-42287)

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2021-42287 is an elevation of privilege vulnerability in Active Directory Domain Services. An authenticated attacker can exploit this flaw to escalate privileges within a Windows domain, potentially achieving full domain compromise.

Background

Active Directory Domain Services (AD DS) provides the directory services and authentication infrastructure for Windows domain networks. This vulnerability exists within the AD DS component responsible for processing security principal identity assertions, enabling an authenticated user to bypass normal authorization boundaries.

Root Cause

The specific Common Weakness Enumeration (CWE) identifier was not provided in the source data. The underlying flaw involves insufficient validation within Active Directory Domain Services, where an authenticated attacker can manipulate identity assertions to impersonate a higher-privilege principal. This security feature bypass allows the attacker to obtain elevated access rights within the domain.

Impact

The vulnerability is rated HIGH severity with a CVSS 3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low-level authenticated access can achieve high impact on confidentiality, integrity, and availability. The CVSS v2 base score is 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), with a network attack vector, low attack complexity, and single authentication required. The attack requires no user interaction.

Exploitation Walkthrough

Ethics Caveat: This section describes the attack concept at a high level for defensive awareness only. It does not provide weaponized exploit code or step-by-step instructions that could be used to compromise systems without authorization.

An attacker with valid domain credentials leverages a flaw in how Active Directory Domain Services validates security principal identities. By manipulating identity attributes within the domain, the attacker tricks the authentication system into granting elevated privileges. The attacker can then use these elevated privileges to access sensitive resources, modify domain configurations, or impersonate privileged accounts. Successful exploitation requires network access to the domain controller and valid low-privilege credentials.

Affected and Patched Versions

The vulnerability affects the following Windows Server versions according to the source data:

  • Windows Server 2008 (SP2)
  • Windows Server 2008 R2 (SP1, x64)
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2016 (2004)
  • Windows Server 2019
  • Windows Server 2022

Specific patched versions and corresponding KB article numbers were not provided in the source data. Administrators should consult the Microsoft Security Response Center advisory for the latest update information.

Remediation

  1. Apply Security Updates: Install the latest Microsoft security updates for affected Windows Server versions as detailed in the MSRC advisory.
  2. Implement Compensating Controls:
    • Enforce the principle of least privilege for all domain accounts.
    • Monitor for anomalous authentication requests and privilege escalation attempts.
    • Rotate the KRBTGT account password if domain compromise is suspected.
    • Restrict lateral movement by segmenting domain controllers and limiting access to privileged management networks.
  3. Credential Hygiene: Ensure service accounts and privileged accounts use strong, unique passwords and are protected by multi-factor authentication where possible.

Detection

Security teams should monitor Active Directory logs and network traffic for:

  • Anomalous authentication requests or ticket-granting activity from low-privilege accounts.
  • Unexpected privilege escalation events within the domain.
  • Unusual account creation or modification patterns.
  • Authentication attempts from non-standard workstations or source IP addresses.

Assessment

CVE-2021-42287 carries an EPSS score of 0.74265, placing it in the 99.43rd percentile, indicating a very high probability of exploitation in the wild. It was added to the CISA Known Exploited Vulnerabilities catalog on 2022-04-11 and is actively exploited. The combination of network accessibility, high impact, and confirmed active exploitation makes this a critical patching priority for all organizations running affected Windows Server versions.

Lessons:

  1. Central identity systems are high-value targets: A vulnerability in core directory services can have domain-wide consequences. Continuous monitoring of authentication and authorization events is essential.
  2. Exploitation likelihood demands urgency: With an EPSS above 0.74 and confirmed KEV status, this vulnerability should be patched immediately rather than deferred.

References

Frequently asked questions

What is CVE-2021-42287?
Active Directory Domain Services Elevation of Privilege Vulnerability
How severe is CVE-2021-42287?
CVE-2021-42287 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-42287 being actively exploited?
Yes. CVE-2021-42287 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-42287?
CVE-2021-42287 primarily affects Microsoft Windows Server 2008. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-42287?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-42287 have an EU (EUVD) identifier?
Yes. CVE-2021-42287 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-29262. It is also flagged as exploited in the EUVD (since 2022-04-11).
When was CVE-2021-42287 published?
CVE-2021-42287 was published on 2021-11-10 and last updated on 2026-06-17.

References

Affected products (8)

More vulnerabilities in Microsoft Windows Server 2008

All CVEs affecting Microsoft Windows Server 2008 →