CVE-2021-24084: Windows Mobile Device Management Information Disclosure Vulnerability

Overview

Severity: Medium (CVSS 5.5)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Category: Information Disclosure
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2021-Feb
Released: 2021-02-09
Last Updated: 2021-12-14
EPSS Score: 4.03% (percentile: 88.5%)

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.

Detection & Weaponization (1 sources)

Maturity: Exploit

GitHub PoC: 2 repositories

Affected Products (16)

Windows

Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows Server, version 20H2 (Server Core Installation)

Security Updates (4)

Acknowledgments

Abdelhamid Naceri (halov) working with Trend Micro Zero Day Initiative

Revision History

2021-02-09: Information published.
2021-12-14: To comprehensively address CVE-2021-24084, Microsoft has released December 2021 security updates for all supported editions of Microsoft Windows. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.