CVE-2021-41379

What is Windows Installer?

Windows Installer (MSI) is the Windows component responsible for installing, updating, and removing software. It runs with SYSTEM-level privileges via the msiexec.exe service, enabling it to write to protected directories and modify system configurations during software installations. Because the Installer service runs as SYSTEM and must interact with files and directories provided by software packages — including temporary files, extracted payloads, and rollback data — it creates opportunities for privilege escalation via symlink attacks (CWE-59): if a low-privileged user can influence what files the SYSTEM-privileged Installer processes, they can leverage the Installer's elevated privileges to operate on attacker-specified files outside its intended scope.

Overview

CVE-2021-41379 is an improper link resolution vulnerability (CWE-59) in Windows Installer that allows a low-privileged local user to delete files they normally cannot access, leveraging the SYSTEM privileges of the Windows Installer service. The CVSS vector (C:N/I:N/A:H) reflects a file deletion capability rather than full code execution — the Installer can be tricked into deleting attacker-specified files under its SYSTEM context. However, security researcher Abdelhamid Naceri published a proof-of-concept (InstallerFileTakeOver) shortly after patch release demonstrating that the patch was incomplete and full SYSTEM-level privilege escalation was achievable via the same Windows Installer attack surface. CISA added it to the KEV catalog in March 2022, reflecting active exploitation.

Affected Versions

Technical Details

• Root cause: Improper link resolution (CWE-59) in Windows Installer — during MSI installation or rollback operations, the Installer service follows file system links (directory junctions, symbolic links) created by a low-privileged user; the SYSTEM-privileged Installer then operates on the attacker-controlled destination rather than the intended file, enabling deletion of system-protected files
• CVSS vs. practical impact: The CVSS vector (C:N/I:N/A:H) captures the file deletion primitive; the Naceri bypass demonstrated that the incomplete patch allowed the same attack surface to be leveraged for full SYSTEM privilege escalation via alternate exploitation paths, making the practical severity significantly higher than the CVSS suggests
• Bypass publication: Naceri's public disclosure of the bypass PoC (InstallerFileTakeOver) on November 22, 2021 — 13 days after Microsoft's patch — created a period of heightened risk where a working SYSTEM escalation exploit was publicly available for an "incomplete" patch
• Ransomware use: Windows Installer LPE vulnerabilities are incorporated into ransomware operator toolkits because they provide a reliable path from low-privilege user execution to SYSTEM — enabling ransomware deployment, credential dumping, and lateral movement across enterprise Windows environments
• Attack preconditions: AV:L/PR:L — the attacker needs local code execution as a low-privilege user; this is the second stage in an attack chain where the initial access is obtained via phishing, exploitation of a web application, or another initial access vector

Discovery

The original vulnerability was identified and patched in November 2021 Patch Tuesday. Abdelhamid Naceri (security researcher) discovered that the patch was incomplete and published a bypass PoC (InstallerFileTakeOver) that achieved full SYSTEM privilege escalation. The public bypass PoC drove CISA's March 2022 KEV addition, reflecting active exploitation by ransomware operators and other threat actors using the publicly available code.

Exploitation Context

When a working public SYSTEM LPE exploit exists for Windows, ransomware operators and other threat actors adopt it quickly. The InstallerFileTakeOver bypass PoC for CVE-2021-41379 provided a reliable SYSTEM escalation tool for Windows 10, 11, and Server editions — broadly applicable across enterprise Windows environments. Ransomware operators use SYSTEM LPE as a key step in their kill chain: after initial low-privilege access, LPE to SYSTEM enables disabling security tools, establishing persistence, exfiltrating credentials, and deploying ransomware with the highest possible privilege across the environment.

Remediation

1. Apply November 2021 Patch Tuesday updates for all Windows versions — patches the base CVE-2021-41379 vulnerability
2. Monitor for additional security updates addressing the Naceri bypass — Microsoft may issue follow-up patches for the InstallerFileTakeOver bypass variant
3. Enforce least-privilege principles: limit the attack surface by ensuring users run with minimal necessary privileges; LPE vulnerabilities require an existing low-privilege execution context to exploit
4. Enable Windows Defender and ensure real-time protection is active — behavioral detection of Installer-based privilege escalation attempts
5. Monitor for msiexec.exe spawning unusual child processes or accessing unexpected file paths — indicators of Windows Installer exploitation
6. Apply application control (WDAC/AppLocker) policies to prevent untrusted executables from running in the first place, limiting the initial-access vector that LPE exploits depend on