CVE-2021-34484

What is the Windows User Profile Service?

The Windows User Profile Service (ProfSvc) is a core Windows component responsible for loading, managing, and unloading user profiles when users log on and off a Windows system. When a new user logs in for the first time, the User Profile Service copies the default user profile to a new location in C:\Users\ to create that user's personal profile directory. Because this profile copy operation is performed by a SYSTEM-privileged process (the User Profile Service itself), any vulnerability in how it handles file paths or symbolic links during the copy can be abused by a low-privileged user to gain SYSTEM-level file write access — the classic "privileged file operation" escalation pattern.

Overview

CVE-2021-34484 is a privilege escalation vulnerability in the Windows User Profile Service, allowing a low-privileged local user to escalate to SYSTEM privileges. The vulnerability exploits the User Profile Service's profile copy operation: by placing a junction or symbolic link in the expected path before or during the copy, an attacker can redirect the SYSTEM-level write operation to an arbitrary location — overwriting or creating privileged files. Microsoft patched this in August 2021 Patch Tuesday. CISA added it to the KEV catalog in March 2022, seven months after the patch, confirming active exploitation in post-compromise attack chains.

Affected Versions

Technical Details

• Root cause: Improper handling of symbolic links or junctions during the User Profile Service's profile directory copy operation — the SYSTEM-privileged service does not adequately validate that the destination path has not been replaced with a junction pointing to a sensitive location
• Junction/symlink attack: An attacker creates a user account or triggers a profile creation event, then races to place a directory junction at the expected profile path before the copy completes; the privileged copy process follows the junction and writes attacker-controlled content to an arbitrary filesystem location
• SYSTEM file write → SYSTEM code execution: Arbitrary file write as SYSTEM allows overwriting binaries in system directories, DLL hijacking in privileged service directories, or creating malicious scheduled task XML files — all leading to SYSTEM code execution
• Attack prerequisites: Requires a low-privileged local account (PR:L) and no user interaction — standard for post-exploitation privilege escalation on systems where attackers have gained an initial foothold
• Post-exploitation use: CVE-2021-34484 fits the profile of post-compromise privilege escalation: an attacker who has obtained a low-privileged session (via phishing, credential stuffing, or initial access broker) uses this to achieve SYSTEM before moving laterally

Discovery

Reported to Microsoft and addressed in August 2021 Patch Tuesday. The March 2022 CISA KEV addition reflects confirmed exploitation in the seven months between patch release and catalog entry — consistent with the vulnerability being incorporated into post-exploitation toolkits used in ransomware and targeted intrusion campaigns following initial access.

Exploitation Context

Windows local privilege escalation vulnerabilities in core OS services like User Profile Service are reliable building blocks for ransomware affiliates and targeted intrusion operators. After gaining a low-privileged foothold via phishing, credential theft, or exploitation of an internet-facing service, attackers use LPE vulnerabilities like CVE-2021-34484 to escalate to SYSTEM before disabling defenses, encrypting files, or moving laterally with SYSTEM-level Kerberos tickets. The seven-month gap between August 2021 patch and March 2022 KEV addition reflects the time required for exploitation evidence to accumulate across incident response investigations.

Remediation

1. Apply August 2021 Patch Tuesday updates (KB5005033 for Windows 10 20H2/21H1, and equivalent KBs for other versions) — check the Microsoft Update Catalog for the appropriate KB for your Windows version
2. Verify patch installation: run systeminfo | findstr KB and confirm the August 2021 Patch Tuesday KB is listed
3. Enforce principle of least privilege — limit the number of accounts with local logon rights on servers; use Just-in-Time access for administrative tasks
4. Monitor for suspicious User Profile Service activity: unexpected profile creation events for existing users, or profile directory creation in unusual locations
5. Enable Windows Defender Credential Guard and Attack Surface Reduction rules to limit the post-exploitation utility of LPE vulnerabilities
6. Audit local accounts on Windows systems; remove unnecessary local accounts that could provide an attacker with the low-privileged access needed to exploit this vulnerability