الثغرات ›

CVE-2021-36948

حرج 🇺🇸 CISA KEV ⚡ اختراق متاح

Microsoft Windows Update Medic Service Privilege Escalation Vulnerability — Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.

                    نُشر: Nov 3, 2021                                          ·  المصدر: CISA_KEV                

CVSS v3

9.0

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

Microsoft Windows Update Medic Service Privilege Escalation Vulnerability — Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.

🤖 ملخص AI

CVE-2021-36948 is a critical privilege escalation vulnerability in Microsoft Windows Update Medic Service (CVSS 9.0) affecting Windows systems. An authenticated attacker can exploit this vulnerability to escalate privileges to SYSTEM level, potentially compromising entire systems. With public exploits available, this poses an immediate threat to Saudi organizations running unpatched Windows infrastructure.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Apr 21, 2026 00:33

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and energy sector (ARAMCO, Saudi Aramco subsidiaries). Windows Update Medic Service runs with elevated privileges on all Windows systems, making this a widespread threat. Compromised systems could lead to data exfiltration, lateral movement, and infrastructure disruption across critical sectors. Telecom operators (STC, Mobily) and financial institutions are particularly vulnerable due to extensive Windows deployment.

🏢 القطاعات السعودية المتأثرة

Banking & Financial Services Government & Public Administration Healthcare & Medical Services Energy & Utilities Telecommunications Transportation & Logistics Education Retail & Commerce

🎯 تقنيات MITRE ATT&CK

⚖️ درجة المخاطر السعودية (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Prioritize patching all Windows systems immediately — this is a critical privilege escalation with public exploits

2. Apply Microsoft security updates for Windows Update Medic Service across all affected Windows versions

3. Implement network segmentation to limit lateral movement from compromised systems

4. Monitor Windows Event Logs for suspicious privilege escalation attempts (Event ID 4688, 4672)



PATCHING GUIDANCE:

1. Deploy patches through WSUS or Windows Update for all Windows 10, Windows Server 2016/2019/2022 versions

2. Verify patch installation: Check Windows Update history and confirm KB article installation

3. Restart systems after patching to ensure complete remediation



COMPENSATING CONTROLS (if patching delayed):

1. Disable Windows Update Medic Service if not required: Set service startup type to 'Disabled'

2. Implement application whitelisting to prevent unauthorized privilege escalation attempts

3. Restrict local administrator account usage and enforce strong authentication

4. Enable Windows Defender Exploit Guard and Attack Surface Reduction rules



DETECTION RULES:

1. Monitor for WaaSMedicSvc.exe (Windows Update Medic Service) spawning child processes with elevated privileges

2. Alert on Event ID 4688 with parent process WaaSMedicSvc.exe

3. Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

4. Detect suspicious token impersonation attempts targeting SYSTEM account

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. أولويات تصحيح جميع أنظمة Windows فوراً — هذه ثغرة حرجة في تصعيد الامتيازات مع استغلالات عامة متاحة

2. تطبيق تحديثات أمان Microsoft لخدمة Windows Update Medic Service عبر جميع إصدارات Windows المتأثرة

3. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من الأنظمة المخترقة

4. مراقبة سجلات Windows Event للكشف عن محاولات تصعيد امتيازات مريبة (Event ID 4688, 4672)

إرشادات التصحيح:

1. نشر التصحيحات عبر WSUS أو Windows Update لجميع إصدارات Windows 10 و Windows Server 2016/2019/2022

2. التحقق من تثبيت التصحيح: تحقق من سجل Windows Update وتأكد من تثبيت مقالة KB

3. إعادة تشغيل الأنظمة بعد التصحيح لضمان الحل الكامل

الضوابط البديلة (إذا تأخر التصحيح):

1. تعطيل خدمة Windows Update Medic Service إذا لم تكن مطلوبة: اضبط نوع بدء الخدمة على 'معطل'

2. تنفيذ قائمة بيضاء للتطبيقات لمنع محاولات تصعيد الامتيازات غير المصرح بها

3. تقييد استخدام حساب المسؤول المحلي وفرض المصادقة القوية

4. تفعيل Windows Defender Exploit Guard وقواعد تقليل سطح الهجوم

قواعد الكشف:

1. مراقبة WaaSMedicSvc.exe (خدمة Windows Update Medic) لإنشاء عمليات فرعية بامتيازات مرتفعة

2. تنبيه على Event ID 4688 مع عملية الوالد WaaSMedicSvc.exe

3. مراقبة تعديلات السجل على HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

4. الكشف عن محاولات محاكاة الرموز المريبة التي تستهدف حساب SYSTEM

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management and privilege management A.5.2.2 - Segregation of duties A.5.2.3 - User password management A.5.2.4 - Review of user access rights A.5.3.1 - Password quality requirements A.5.3.2 - Password use and change A.5.4.1 - Information access restriction A.5.4.2 - Access to program source code A.5.5.1 - Segregation of development, test and production environments A.5.5.2 - Separation of duties A.5.5.3 - Segregation of duties and separation of development, test and production environments A.5.5.4 - Change management A.5.5.5 - Access control for program source code A.5.5.6 - Secure development policy A.5.5.7 - Outsourced development A.5.5.8 - Security testing in development and pre-production environments A.5.6.1 - Management of technical vulnerabilities A.5.6.2 - Restrictions on software installation

🔵 SAMA CSF

Governance & Risk Management - Vulnerability Management Information & Cybersecurity - System Hardening & Patch Management Information & Cybersecurity - Access Control & Identity Management Operational Resilience - Incident Detection & Response Third Party Risk Management - Vendor Security Assessment

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.5.2.1 - User registration and de-registration A.5.2.2 - User access provisioning A.5.2.3 - Management of privileged access rights A.5.2.4 - Management of secret authentication information of users A.5.2.5 - Access rights review A.5.3.1 - Password management A.5.4.1 - Information access restriction A.5.4.2 - Access to source code A.5.5.1 - Segregation of duties A.5.5.2 - Segregation of development, test and production environments A.5.5.3 - Separation of duties A.5.5.4 - Change management A.5.5.5 - Access control for program source code A.5.5.6 - Secure development policy A.5.5.7 - Outsourced development A.5.5.8 - Security testing in development and pre-production environments A.5.6.1 - Management of technical vulnerabilities A.5.6.2 - Restrictions on software installation A.8.1.1 - Screening A.8.1.2 - Terms and conditions of employment A.8.1.3 - Information security responsibilities and obligations A.8.1.4 - Disciplinary process A.8.2.1 - Management responsibilities A.8.2.2 - Information security awareness, education and training A.8.2.3 - Disciplinary process A.8.3.1 - Responsibilities during employment termination or change A.8.3.2 - Return of assets A.8.3.3 - Removal of access rights

🟣 PCI DSS v4.0

Requirement 2.1 - Always change vendor-supplied defaults Requirement 2.2 - Configuration standards for system components Requirement 2.4 - Document and implement security configuration standards Requirement 6.2 - Ensure security patches are installed Requirement 7.1 - Limit access to system components by business need-to-know Requirement 7.2 - Establish an access control system Requirement 8.1 - Assign unique ID to each person with computer access Requirement 8.2 - Ensure proper user authentication Requirement 8.5 - Prevent reuse of passwords

🔗 المراجع والمصادر 0

لا توجد مراجع.

📦 المنتجات المتأثرة 1 منتج

Microsoft:Windows

📊 CVSS Score

9.0

/ 10.0 — حرج

📋 حقائق سريعة

الخطورة حرج

CVSS Score9.0

EPSS0.97%

اختراق متاح ✓ نعم

تصحيح متاح ✓ نعم

CISA KEV🇺🇸 Yes

تاريخ الإصلاح2021-11-17

تاريخ النشر 2021-11-03

المصدر cisa_kev

المشاهدات 4

🇸🇦 درجة المخاطر السعودية

9.2

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

kev actively-exploited

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-36948

عرّفنا بنفسك

تسجيل الدخول مطلوب