CVE-2021-33771

What is the Windows Kernel?

The Windows NT kernel is the core operating system component running at the highest CPU privilege level (ring 0), managing memory, processes, hardware access, and all security enforcement on Windows systems. Privilege escalation vulnerabilities in the Windows kernel allow code running in a low-privileged user-mode process to execute instructions in kernel context — achieving SYSTEM privileges and bypassing all user-mode security boundaries including UAC, process isolation, and security software that does not operate at the kernel level. Windows kernel LPE vulnerabilities are among the most operationally valuable bugs for post-exploitation attackers.

Overview

CVE-2021-33771 is a Windows kernel privilege escalation vulnerability that allows a low-privileged local user to escalate to SYSTEM. Microsoft patched this in July 2021 Patch Tuesday alongside the companion vulnerability CVE-2021-31979, both acknowledged as zero-days exploited in the wild. Kaspersky Research identified that these two Windows kernel LPE bugs were used together by the same threat actor in targeted campaigns — providing redundant privilege escalation options against different Windows versions or configurations. CISA added both to the KEV catalog simultaneously in November 2021.

Affected Versions

Technical Details

• Root cause: Windows kernel privilege escalation vulnerability — a flaw in a kernel component allows a low-privileged user to corrupt or manipulate kernel memory structures, achieving code execution at the SYSTEM privilege level
• SYSTEM privileges: Successful exploitation grants the attacker SYSTEM access — the highest privilege level on Windows — allowing unrestricted access to all system resources, credential dumping, defense disabling, and persistence installation
• Paired exploitation with CVE-2021-31979: Kaspersky Research identified that CVE-2021-33771 and CVE-2021-31979 were deployed together by the same threat actor, suggesting each covered different Windows versions, build numbers, or kernel configurations where the other exploit might fail — ensuring reliable privilege escalation across a target environment
• Zero-day at patch time: Both CVE-2021-33771 and CVE-2021-31979 were patched with explicit acknowledgment of in-the-wild exploitation, indicating advanced threat actor access to multiple simultaneous Windows kernel zero-days
• No user interaction required: CVSS PR:L/UI:N — standard LPE exploitation requiring only a local low-privileged account

Discovery

Identified as a zero-day actively exploited before the July 2021 patch. Kaspersky Research analyzed the exploitation patterns and attributed coordinated use of both CVE-2021-33771 and CVE-2021-31979 to the same threat actor cluster, providing evidence of sophisticated adversaries deploying paired kernel exploits for operational reliability.

Exploitation Context

The paired deployment of CVE-2021-33771 and CVE-2021-31979 is indicative of professional exploit development operations: advanced actors build exploit toolkits with multiple LPE options to ensure reliable privilege escalation against a variety of Windows configurations. After gaining initial access (via phishing, credential theft, or exploitation of a network-facing service), these kernel escalation tools convert a limited foothold into full SYSTEM control. From SYSTEM, attackers can dump all Windows credentials from LSASS, disable EDR/AV through kernel manipulation, create persistent access mechanisms, and move laterally with machine account credentials. The November 2021 CISA KEV additions for both CVEs reflect ongoing exploitation of the July 2021 kernel vulnerabilities against unpatched systems.

Remediation

1. Apply July 2021 Patch Tuesday updates — this addresses both CVE-2021-33771 and CVE-2021-31979 simultaneously
2. Verify patch installation across all Windows systems in the environment — particularly domain controllers, servers, and workstations accessible via RDP or other remote access
3. Enforce principle of least privilege — domain accounts should not have local administrator rights on workstations or servers beyond what is operationally required
4. Deploy EDR solutions capable of detecting kernel exploit behavior — anomalous SYSTEM-level access from user-mode processes should trigger immediate investigation
5. Consider Windows Defender Credential Guard to protect LSASS from credential dumping after SYSTEM escalation
6. Prioritize applying all July 2021 and subsequent Patch Tuesday updates across the environment, as multiple Windows kernel LPE vulnerabilities were patched concurrently in this period