Microsoft has fixed a vulnerability in the PsExec utility that allows local users to gain elevated privileges on Windows devices. PsExec is a Sysinternals utility designed to allow administrators to perform various activities on remote computers, such as launching executables and displaying the output on the local computer or creating reverse shells. Threat actors commonly use PsExec in their post-exploitation toolkits to spread laterally to other machines on a network, execute commands on a large number of devices simultaneously, or deploy malware such as ransomware.
A. Nature of the Vulnerability
The vulnerability was tracked as:
CVE-2021-1733, the Sysinternals PsExec Elevation of Privilege Vulnerability allows a non-admin process to escalate to SYSTEM if PsExec is executed locally or remotely on the target machine. Rated with a CVSS score of 7.8, attackers could exploit this vulnerability by accessing the target system locally, remotely or by relying on user interaction. Successful exploitation could allow the attacker to gain elevated privileges on Windows devices.
B. List of Vulnerable Systems
Vulnerable Windows PSExec version are as follows:
- 2.32 and earlier
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched versions of the affected Windows PSExec products from the Microsoft Security Response Center (MSRC) Security Advisory.