Vulnerabilities ›

CVE-2021-36955

Critical 🇺🇸 CISA KEV ⚡ Exploit Available

Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability — Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for

                    Published: Nov 3, 2021                                          ·  Source: CISA_KEV                

CVSS v3

9.0

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

CVE-2021-36955 is a critical privilege escalation vulnerability in Microsoft Windows CLFS driver with a CVSS score of 9.0. An authenticated attacker can exploit this vulnerability to gain SYSTEM-level privileges on affected Windows systems. With public exploits available, this poses an immediate threat to Saudi organizations running vulnerable Windows versions.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 00:34

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare facilities, and energy sector (ARAMCO, SEC). Windows systems are ubiquitous across Saudi infrastructure. Successful exploitation enables lateral movement, data exfiltration, and ransomware deployment. Government and financial institutions are high-priority targets for threat actors exploiting this vulnerability.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Facilities Energy and Utilities Telecommunications Critical Infrastructure Education Manufacturing

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1134.003 - Access Token Manipulation: Make and Impersonate Token T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1543.003 - Create or Modify System Process: Windows Service T1611 - Escape to Host

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Windows systems in your environment and prioritize critical infrastructure (banking, government, healthcare, energy)

2. Apply Microsoft security patches immediately for affected Windows versions (Windows 7, 8.1, 10, Server 2008 R2, 2012, 2012 R2, 2016, 2019)

3. Restrict local administrative access and enforce principle of least privilege

4. Monitor for suspicious CLFS driver activity and privilege escalation attempts



PATCHING GUIDANCE:

- Deploy patches through WSUS or Microsoft Update with priority classification

- Test patches in non-production environments first

- Schedule patching for critical systems within 48 hours



COMPENSATING CONTROLS (if patching delayed):

- Disable CLFS driver if not required for business operations

- Implement application whitelisting to prevent unauthorized code execution

- Enable Windows Defender Exploit Guard and Attack Surface Reduction rules

- Monitor Event Viewer for privilege escalation attempts (Event ID 4688, 4689)



DETECTION RULES:

- Alert on suspicious CLFS.sys driver activity

- Monitor for unexpected SYSTEM privilege grants

- Track failed privilege escalation attempts in security logs

- Use EDR solutions to detect process creation with elevated privileges

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع أنظمة Windows في بيئتك وحدد أولويات البنية التحتية الحرجة (البنوك والحكومة والرعاية الصحية والطاقة)

2. طبق تصحيحات أمان Microsoft فوراً للإصدارات المتأثرة من Windows

3. قيد الوصول الإداري المحلي وفرض مبدأ الامتياز الأقل

4. راقب نشاط برنامج تشغيل CLFS المريب ومحاولات تصعيد الامتيازات



إرشادات التصحيح:

- نشر التصحيحات عبر WSUS أو Microsoft Update بتصنيف الأولوية

- اختبر التصحيحات في بيئات غير الإنتاج أولاً

- جدول التصحيح للأنظمة الحرجة خلال 48 ساعة



الضوابط البديلة:

- عطل برنامج تشغيل CLFS إذا لم يكن مطلوباً للعمليات التجارية

- طبق قائمة بيضاء للتطبيقات لمنع تنفيذ الأكواد غير المصرح بها

- فعّل Windows Defender Exploit Guard وقواعد تقليل سطح الهجوم

- راقب Event Viewer لمحاولات تصعيد الامتيازات



قواعد الكشف:

- تنبيهات نشاط برنامج تشغيل CLFS المريب

- مراقبة منح امتيازات SYSTEM غير المتوقعة

- تتبع محاولات تصعيد الامتيازات الفاشلة في سجلات الأمان

- استخدم حلول EDR للكشف عن إنشاء العمليات برفع الامتيازات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.5.2.1 - User Registration and De-registration ECC 2024 A.5.3.1 - Access Rights Review ECC 2024 A.8.1.1 - Information Security Awareness ECC 2024 A.12.2.1 - Change Management

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Hardware and Software Inventory SAMA CSF PR.AC-1 - Access Control Policy SAMA CSF PR.PT-1 - Security Awareness and Training SAMA CSF DE.CM-1 - System Monitoring SAMA CSF RS.MI-1 - Incident Response Planning

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access Control ISO 27001:2022 A.8.1 - Information Security Awareness ISO 27001:2022 A.8.2 - Information Security Awareness, Education and Training ISO 27001:2022 A.12.6.1 - Management of Technical Vulnerabilities

🟣 PCI DSS v4.0

PCI DSS 2.2 - Configuration Standards PCI DSS 6.2 - Security Patches PCI DSS 10.2 - User Access Logging

🔗 References & Sources 0

No references.

📦 Affected Products / CPE 1 entries

Microsoft:Windows

📊 CVSS Score

9.0

/ 10.0 — Critical

📋 Quick Facts

Severity Critical

CVSS Score9.0

EPSS20.64%

Exploit ✓ Yes

Patch ✓ Yes

CISA KEV🇺🇸 Yes

KEV Due Date2021-11-17

Published 2021-11-03

Source Feed cisa_kev

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

kev actively-exploited ransomware

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-36955

Introduce Yourself

Sign In Required