INITIALIZING
📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global data_breach Multiple sectors HIGH 35m Global vulnerability Government and Critical Infrastructure CRITICAL 42m Global vulnerability Multiple sectors CRITICAL 58m Global apt Financial Services, Government HIGH 1h Global insider Cross-sector CRITICAL 1h Global vulnerability Multiple sectors CRITICAL 1h Global vulnerability Information Technology / Software Infrastructure CRITICAL 1h Global data_breach Healthcare CRITICAL 2h Global malware Financial Services HIGH 2h Global vulnerability Technology/Software Development HIGH 2h Global data_breach Multiple sectors HIGH 35m Global vulnerability Government and Critical Infrastructure CRITICAL 42m Global vulnerability Multiple sectors CRITICAL 58m Global apt Financial Services, Government HIGH 1h Global insider Cross-sector CRITICAL 1h Global vulnerability Multiple sectors CRITICAL 1h Global vulnerability Information Technology / Software Infrastructure CRITICAL 1h Global data_breach Healthcare CRITICAL 2h Global malware Financial Services HIGH 2h Global vulnerability Technology/Software Development HIGH 2h Global data_breach Multiple sectors HIGH 35m Global vulnerability Government and Critical Infrastructure CRITICAL 42m Global vulnerability Multiple sectors CRITICAL 58m Global apt Financial Services, Government HIGH 1h Global insider Cross-sector CRITICAL 1h Global vulnerability Multiple sectors CRITICAL 1h Global vulnerability Information Technology / Software Infrastructure CRITICAL 1h Global data_breach Healthcare CRITICAL 2h Global malware Financial Services HIGH 2h Global vulnerability Technology/Software Development HIGH 2h
Vulnerabilities

CVE-2021-36948

Critical 🇺🇸 CISA KEV ⚡ Exploit Available
Microsoft Windows Update Medic Service Privilege Escalation Vulnerability — Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.
Published: Nov 3, 2021  ·  Source: CISA_KEV
CVSS v3
9.0
🔗 NVD Official
📄 Description (English)

Microsoft Windows Update Medic Service Privilege Escalation Vulnerability — Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.

🤖 AI Executive Summary

CVE-2021-36948 is a critical privilege escalation vulnerability in Microsoft Windows Update Medic Service (CVSS 9.0) affecting Windows systems. An authenticated attacker can exploit this vulnerability to escalate privileges to SYSTEM level, potentially compromising entire systems. With public exploits available, this poses an immediate threat to Saudi organizations running unpatched Windows infrastructure.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 00:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and energy sector (ARAMCO, Saudi Aramco subsidiaries). Windows Update Medic Service runs with elevated privileges on all Windows systems, making this a widespread threat. Compromised systems could lead to data exfiltration, lateral movement, and infrastructure disruption across critical sectors. Telecom operators (STC, Mobily) and financial institutions are particularly vulnerable due to extensive Windows deployment.
🏢 Affected Saudi Sectors
Banking & Financial Services Government & Public Administration Healthcare & Medical Services Energy & Utilities Telecommunications Transportation & Logistics Education Retail & Commerce
🎯 MITRE ATT&CK Techniques
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1134.003 - Access Token Manipulation: Make and Impersonate Token T1134.004 - Access Token Manipulation: Parent PID Spoofing T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.014 - Boot or Logon Autostart Execution: Active Setup T1547.015 - Boot or Logon Autostart Execution: Login Hook T1053.005 - Scheduled Task/Job: Scheduled Task T1547.010 - Boot or Logon Autostart Execution: Port Monitors T1547.011 - Boot or Logon Autostart Execution: Print Processors T1547.012 - Boot or Logon Autostart Execution: Print Drivers T1547.013 - Boot or Logon Autostart Execution: Shutdown/Logoff Hooks T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1574.010 - Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 - Hijack Execution Flow: Services File Permissions Weakness T1574.012 - Hijack Execution Flow: COR_PROFILER Environment Variable T1547.008 - Boot or Logon Autostart Execution: LSASS Driver
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Prioritize patching all Windows systems immediately — this is a critical privilege escalation with public exploits

2. Apply Microsoft security updates for Windows Update Medic Service across all affected Windows versions

3. Implement network segmentation to limit lateral movement from compromised systems

4. Monitor Windows Event Logs for suspicious privilege escalation attempts (Event ID 4688, 4672)



PATCHING GUIDANCE:

1. Deploy patches through WSUS or Windows Update for all Windows 10, Windows Server 2016/2019/2022 versions

2. Verify patch installation: Check Windows Update history and confirm KB article installation

3. Restart systems after patching to ensure complete remediation



COMPENSATING CONTROLS (if patching delayed):

1. Disable Windows Update Medic Service if not required: Set service startup type to 'Disabled'

2. Implement application whitelisting to prevent unauthorized privilege escalation attempts

3. Restrict local administrator account usage and enforce strong authentication

4. Enable Windows Defender Exploit Guard and Attack Surface Reduction rules



DETECTION RULES:

1. Monitor for WaaSMedicSvc.exe (Windows Update Medic Service) spawning child processes with elevated privileges

2. Alert on Event ID 4688 with parent process WaaSMedicSvc.exe

3. Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

4. Detect suspicious token impersonation attempts targeting SYSTEM account
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. أولويات تصحيح جميع أنظمة Windows فوراً — هذه ثغرة حرجة في تصعيد الامتيازات مع استغلالات عامة متاحة

2. تطبيق تحديثات أمان Microsoft لخدمة Windows Update Medic Service عبر جميع إصدارات Windows المتأثرة

3. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من الأنظمة المخترقة

4. مراقبة سجلات Windows Event للكشف عن محاولات تصعيد امتيازات مريبة (Event ID 4688, 4672)



إرشادات التصحيح:

1. نشر التصحيحات عبر WSUS أو Windows Update لجميع إصدارات Windows 10 و Windows Server 2016/2019/2022

2. التحقق من تثبيت التصحيح: تحقق من سجل Windows Update وتأكد من تثبيت مقالة KB

3. إعادة تشغيل الأنظمة بعد التصحيح لضمان الحل الكامل



الضوابط البديلة (إذا تأخر التصحيح):

1. تعطيل خدمة Windows Update Medic Service إذا لم تكن مطلوبة: اضبط نوع بدء الخدمة على 'معطل'

2. تنفيذ قائمة بيضاء للتطبيقات لمنع محاولات تصعيد الامتيازات غير المصرح بها

3. تقييد استخدام حساب المسؤول المحلي وفرض المصادقة القوية

4. تفعيل Windows Defender Exploit Guard وقواعد تقليل سطح الهجوم



قواعد الكشف:

1. مراقبة WaaSMedicSvc.exe (خدمة Windows Update Medic) لإنشاء عمليات فرعية بامتيازات مرتفعة

2. تنبيه على Event ID 4688 مع عملية الوالد WaaSMedicSvc.exe

3. مراقبة تعديلات السجل على HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

4. الكشف عن محاولات محاكاة الرموز المريبة التي تستهدف حساب SYSTEM
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management and privilege management A.5.2.2 - Segregation of duties A.5.2.3 - User password management A.5.2.4 - Review of user access rights A.5.3.1 - Password quality requirements A.5.3.2 - Password use and change A.5.4.1 - Information access restriction A.5.4.2 - Access to program source code A.5.5.1 - Segregation of development, test and production environments A.5.5.2 - Separation of duties A.5.5.3 - Segregation of duties and separation of development, test and production environments A.5.5.4 - Change management A.5.5.5 - Access control for program source code A.5.5.6 - Secure development policy A.5.5.7 - Outsourced development A.5.5.8 - Security testing in development and pre-production environments A.5.6.1 - Management of technical vulnerabilities A.5.6.2 - Restrictions on software installation
🔵 SAMA CSF
Governance & Risk Management - Vulnerability Management Information & Cybersecurity - System Hardening & Patch Management Information & Cybersecurity - Access Control & Identity Management Operational Resilience - Incident Detection & Response Third Party Risk Management - Vendor Security Assessment
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security A.5.2.1 - User registration and de-registration A.5.2.2 - User access provisioning A.5.2.3 - Management of privileged access rights A.5.2.4 - Management of secret authentication information of users A.5.2.5 - Access rights review A.5.3.1 - Password management A.5.4.1 - Information access restriction A.5.4.2 - Access to source code A.5.5.1 - Segregation of duties A.5.5.2 - Segregation of development, test and production environments A.5.5.3 - Separation of duties A.5.5.4 - Change management A.5.5.5 - Access control for program source code A.5.5.6 - Secure development policy A.5.5.7 - Outsourced development A.5.5.8 - Security testing in development and pre-production environments A.5.6.1 - Management of technical vulnerabilities A.5.6.2 - Restrictions on software installation A.8.1.1 - Screening A.8.1.2 - Terms and conditions of employment A.8.1.3 - Information security responsibilities and obligations A.8.1.4 - Disciplinary process A.8.2.1 - Management responsibilities A.8.2.2 - Information security awareness, education and training A.8.2.3 - Disciplinary process A.8.3.1 - Responsibilities during employment termination or change A.8.3.2 - Return of assets A.8.3.3 - Removal of access rights
🟣 PCI DSS v4.0
Requirement 2.1 - Always change vendor-supplied defaults Requirement 2.2 - Configuration standards for system components Requirement 2.4 - Document and implement security configuration standards Requirement 6.2 - Ensure security patches are installed Requirement 7.1 - Limit access to system components by business need-to-know Requirement 7.2 - Establish an access control system Requirement 8.1 - Assign unique ID to each person with computer access Requirement 8.2 - Ensure proper user authentication Requirement 8.5 - Prevent reuse of passwords
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows
📊 CVSS Score
9.0
/ 10.0 — Critical
📋 Quick Facts
Severity Critical
CVSS Score9.0
EPSS0.97%
Exploit ✓ Yes
Patch ✓ Yes
CISA KEV🇺🇸 Yes
KEV Due Date2021-11-17
Published 2021-11-03
Source Feed cisa_kev
Views 3
🇸🇦 Saudi Risk Score
9.2
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
kev actively-exploited
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.