📄 Description (English)
Microsoft Windows SAM Local Privilege Escalation Vulnerability — If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level.
🤖 AI Executive Summary
CVE-2021-36934 is a critical local privilege escalation vulnerability in Microsoft Windows that allows any authenticated user to read the SAM (Security Account Manager) database through Volume Shadow Copy, enabling escalation to SYSTEM level. With a CVSS score of 9.0 and publicly available exploits, this vulnerability poses an immediate threat to all Windows-based infrastructure in Saudi organizations. Patching is urgent as the attack requires only local access and no special privileges.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 00:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability critically impacts all Saudi sectors relying on Windows infrastructure: Banking sector (SAMA-regulated institutions) faces risk of unauthorized access to critical systems and customer data; Government agencies (NCA oversight) could experience compromise of sensitive administrative systems; Healthcare organizations risk patient data breaches; Energy sector (ARAMCO and related entities) could face operational technology compromise; Telecom providers (STC, Mobily) managing billing and customer systems are at risk. The vulnerability is particularly dangerous in Saudi organizations due to widespread Windows deployment in both enterprise and government environments, and the prevalence of VSS backups in standard IT configurations.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Healthcare
Energy & Utilities
Telecommunications
Defense & Security
Education
Transportation
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Prioritize patching all Windows systems (Server 2008 R2 through Windows 11, Server 2022) with August 2021 or later security updates
2. Disable Volume Shadow Copy Service (VSS) on non-critical systems if patching cannot be immediately deployed
3. Restrict local logon privileges and implement principle of least privilege
4. Review and audit local administrator group membership across all systems
PATCHING GUIDANCE:
1. Deploy Windows Update KB5005394 (or later cumulative updates) immediately
2. For Server environments, apply corresponding Server patches (2008 R2 KB5005394, 2012 R2 KB5005394, 2016 KB5005394, 2019 KB5005394, 2022 KB5005394)
3. Test patches in non-production environment first, then deploy via WSUS or endpoint management tools
4. Verify patch installation with 'systeminfo' command and check for KB5005394
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement file-level access controls on SAM database location (C:\Windows\System32\config\SAM)
2. Monitor VSS shadow copy creation and access attempts
3. Implement application whitelisting to prevent unauthorized tools accessing shadow copies
4. Deploy endpoint detection and response (EDR) solutions to detect SAM access attempts
5. Enable Windows Defender for Endpoint with attack surface reduction rules
DETECTION RULES:
1. Monitor Event ID 4656 (Handle to an object was requested) for SAM file access
2. Alert on vssadmin.exe or diskshadow.exe execution by non-administrative users
3. Monitor for PowerShell scripts accessing shadow copy volumes
4. Track creation of new local administrator accounts
5. Monitor registry access to HKLM\SAM
6. Alert on unusual SYSTEM-level process creation from user sessions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. أولويات تصحيح جميع أنظمة Windows (Server 2008 R2 حتى Windows 11، Server 2022) بتحديثات أمان أغسطس 2021 أو أحدث
2. تعطيل خدمة Volume Shadow Copy (VSS) على الأنظمة غير الحرجة إذا لم يكن التصحيح ممكناً فوراً
3. تقييد امتيازات تسجيل الدخول المحلي وتنفيذ مبدأ أقل امتياز
4. مراجعة وتدقيق عضوية مجموعة المسؤولين المحليين عبر جميع الأنظمة
إرشادات التصحيح:
1. نشر Windows Update KB5005394 (أو تحديثات تراكمية أحدث) فوراً
2. لبيئات الخادم، تطبيق تصحيحات الخادم المقابلة
3. اختبار التصحيحات في بيئة غير الإنتاج أولاً، ثم النشر عبر WSUS
4. التحقق من تثبيت التصحيح باستخدام أمر systeminfo
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ ضوابط الوصول على مستوى الملف لموقع قاعدة بيانات SAM
2. مراقبة إنشاء والوصول إلى نسخ الظل
3. تنفيذ قائمة بيضاء للتطبيقات لمنع الأدوات غير المصرح بها
4. نشر حلول الكشف والاستجابة على نقاط النهاية
5. تفعيل Windows Defender for Endpoint
قواعد الكشف:
1. مراقبة معرف الحدث 4656 للوصول إلى ملف SAM
2. التنبيه على تنفيذ vssadmin.exe أو diskshadow.exe من قبل المستخدمين غير الإداريين
3. مراقبة نصوص PowerShell التي تصل إلى أحجام نسخ الظل
4. تتبع إنشاء حسابات مسؤول محلي جديدة
5. مراقبة الوصول إلى السجل HKLM\SAM
6. التنبيه على إنشاء عملية SYSTEM غير العادي من جلسات المستخدم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - User registration and de-registration
A.6.2.1 - User access provisioning
A.7.1.1 - Physical entry
A.8.1.1 - User endpoint devices
A.8.2.1 - Privileged access rights
A.8.3.1 - Information access restriction
A.9.2.1 - User authentication
A.9.4.1 - Password management
A.10.1.1 - Cryptography policy
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
Governance & Risk Management - Vulnerability Management
Information & Cybersecurity - Access Control
Information & Cybersecurity - Privileged Access Management
Information & Cybersecurity - Patch Management
Operational Resilience - Incident Response
🟡 ISO 27001:2022
5.15 - Access control
5.16 - Identification and authentication
5.17 - Access rights
5.18 - Information security in supplier relationships
6.5 - Control of changes
8.1 - Information security incident management
8.2 - Nonconformity and corrective action
🟣 PCI DSS v4.0
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches
Requirement 7 - Restrict access to data
Requirement 8.1 - User identification and authentication
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows