CVE-2021-23874

What is McAfee Total Protection?

McAfee Total Protection (MTP) is a consumer and small-business endpoint security product providing antivirus, firewall, identity protection, and web filtering. Like all endpoint security products, McAfee Total Protection runs critical components with elevated (SYSTEM-level) privileges to perform scanning and protection functions, and implements "self-defense" mechanisms that prevent standard users from disabling or tampering with the product. These self-defense features are themselves a security boundary: a vulnerability that bypasses them allows a local attacker to leverage the AV product's own elevated privileges as an escalation vector, effectively turning the security tool against the system it protects.

Overview

CVE-2021-23874 is an improper privilege management vulnerability (CWE-269) in McAfee Total Protection. A local attacker with standard user privileges can exploit the flaw to bypass MTP's self-defense mechanisms and escalate to SYSTEM-level code execution. The Scope:Changed (S:C) CVSS rating reflects that the attack crosses a privilege boundary — the attacker moves from a user-context process into the SYSTEM context managed by MTP's privileged components. The User Interaction:Required (UI:R) rating indicates the exploit requires some action by a logged-in user, though this does not require the victim to be a privileged user. McAfee patched the vulnerability in February 2021 and CISA added it to KEV in November 2021.

Affected Versions

Technical Details

CWE-269 (Improper Privilege Management). McAfee Total Protection's self-defense mechanism is designed to prevent standard users from modifying, disabling, or unloading the security product's components. A flaw in how MTP manages privileges around a specific operation allows a local attacker to abuse the self-defense mechanism itself — triggering privileged MTP operations in a way that executes attacker-controlled code at SYSTEM level.

The S:C (Scope:Changed) rating is significant: it means the vulnerability does not merely allow the attacker to execute code at elevated privilege within their own security context, but actively changes the security scope — the attacker crosses from a user-mode context into the SYSTEM context enforced by MTP's privileged components. This is the same pattern seen in link-following and TOCTOU attacks against AV scan engines: the security product's elevated privileges become the escalation mechanism.

UI:R reflects that the exploit path involves some user interaction — typically requiring a logged-in user to perform an action (such as opening a file or triggering a specific UI workflow) that causes MTP's privileged component to execute the attacker-influenced code path.

Discovery

McAfee disclosed the vulnerability in February 2021. The specific researcher or research team credited has not been identified in publicly available sources.

Exploitation Context

CISA added CVE-2021-23874 to the KEV catalog on November 3, 2021. In exploitation, consumer AV self-defense bypass vulnerabilities are used to escalate privileges on endpoints where McAfee Total Protection is installed — turning the security product from a protective layer into an escalation primitive. No specific threat actor, ransomware group, or campaign has been publicly attributed.

Remediation

1. Apply the McAfee Total Protection security update released in February 2021 to all affected installations.
2. Ensure automatic updates are enabled in McAfee Total Protection — the product's built-in update mechanism delivers the patch automatically when configured.
3. For managed deployments via McAfee ePolicy Orchestrator (ePO): push the update to all managed endpoints through the ePO console and verify receipt.
4. Review local endpoint logs for unexpected SYSTEM-level process executions from MTP components as a potential exploitation indicator.

See Also

This CVE is part of a pattern of AV and EDR product vulnerabilities in CISA KEV. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.