What is Windows Update Medic Service?
The Windows Update Medic Service (WaaSMedicSvc) is a Windows component introduced in Windows 10 whose primary purpose is to protect the Windows Update service from being disabled by users or software. Because keeping Windows Update running is deemed a system health function, WaaSMedicSvc is designed to restart Windows Update services even when a user or administrator attempts to stop or disable them. Ironically, this protective design — running as SYSTEM and having special authority to restart and reconfigure update-related services — creates a high-value attack surface: any vulnerability in how the Medic Service loads code or handles service operations can be exploited by a low-privileged user to gain SYSTEM privileges.
Overview
CVE-2021-36948 is a local privilege escalation vulnerability in the Windows Update Medic Service that allows a low-privileged user to escalate to SYSTEM. Microsoft patched this in August 2021 Patch Tuesday and acknowledged it as a zero-day — exploited in the wild before the patch was available. CISA added it to the KEV catalog in November 2021. The vulnerability reflects the broader pattern of attackers targeting Windows system service privilege escalation bugs to convert initial access into full system control as part of post-compromise attack chains.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (multiple versions) | Yes | August 2021 Patch Tuesday |
| Windows 11 | Yes | August 2021 Patch Tuesday |
| Windows Server 2019 | Yes | August 2021 Patch Tuesday |
| Windows Server 2022 | Yes | August 2021 Patch Tuesday |
Technical Details
- Root cause: The Windows Update Medic Service contains a privilege escalation vulnerability in how it handles service operations or DLL/binary loading — a low-privileged user can influence a code path executed in the SYSTEM context of the Medic Service, achieving SYSTEM-level code execution
- SYSTEM execution: WaaSMedicSvc runs as LocalSystem (SYSTEM), making any code execution within its context equivalent to full SYSTEM privileges — bypassing all user-mode privilege restrictions
- Zero-day status: Microsoft's August 2021 Patch Tuesday advisory acknowledged exploitation in the wild before the patch — indicating this was weaponized and deployed before defenders could patch
- No user interaction required: CVSS AV:L/PR:L/UI:N — a low-privileged account on the local system can exploit this without any interaction from another user or administrator
- Post-exploitation value: Attackers who gain a low-privileged initial foothold (e.g., via phishing or credential theft) use SYSTEM-level LPE to dump LSASS credentials, disable security tools, create privileged accounts, and move laterally with elevated access
Discovery
Reported to Microsoft as a zero-day — actively exploited before the August 2021 patch. The zero-day status indicates the vulnerability was identified and weaponized by a threat actor (or broker) prior to disclosure and was incorporated into targeted attack campaigns before Microsoft could issue a fix.
Exploitation Context
Zero-day Windows LPE vulnerabilities targeting background system services like WaaSMedicSvc are particularly valuable to advanced threat actors because they provide reliable SYSTEM escalation that bypasses UAC and does not require administrator interaction. The November 2021 CISA KEV addition (three months after the patch) reflects ongoing exploitation against unpatched Windows systems — a pattern consistent with ransomware affiliates and targeted intrusion operators who routinely include multiple LPE options in their post-exploitation toolkits. WaaSMedicSvc is present across all modern Windows installations, giving this vulnerability universal applicability against Windows endpoints.
Remediation
- Apply August 2021 Patch Tuesday updates — the specific KB depends on Windows version; check the Microsoft Security Update Guide for CVE-2021-36948
- Prioritize patching based on exposure: internet-facing systems, RDP-accessible servers, and systems with broad network access should be patched first
- Implement principle of least privilege — reduce the number of accounts with local logon access to servers to minimize the exposure from local LPE vulnerabilities
- Enable Windows Defender Credential Guard to protect against credential theft that follows SYSTEM privilege escalation
- Monitor for anomalous SYSTEM-level process creation from service processes — EDR tooling should flag unexpected child processes spawned by WaaSMedicSvc or related Windows Update service processes
- Enable Controlled Folder Access and Application Guard to limit the post-exploitation utility of SYSTEM privileges
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-36948 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2021-08-12 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-08-10 | Microsoft patches CVE-2021-36948 in August 2021 Patch Tuesday — acknowledged as zero-day (exploited before patch) |
| 2021-08-12 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Advisory — CVE-2021-36948 | Vendor Advisory |
| NVD — CVE-2021-36948 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |