Attackers can gain Windows system privileges using this ESET antivirus bug

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Affiliate Disclosure
  • Security experts are warning against a threat that could compromise your entire system.
  • ESET released security fixes for a high severity local privilege escalation vulnerability.
  •  CVE-2021-37852 enables attackers to escalate privileges to NT AUTHORITYSYSTEM.
  •  In this article you will also find the list of affected products, as shown by ESET experts.

Cybersecurity should be of paramount importance to all of us with access to the internet, especially if we have valuable assets or sensitive information to protect.

However, securing your account can sometimes prove to be a lot harder than just saying you will, as ingenious malicious third parties will always find a way to bypass available security.

Recently, ESET released security fixes to address a high severity local privilege escalation vulnerability affecting multiple products on systems running Windows 10 and later or Windows Server 2016 and above.

The flaw, which is known as CVE-2021-37852, was reported by Zero Day Initiative, warning users that it enables attackers to escalate privileges to NT AUTHORITY\SYSTEM account rights.

Keep in mind that this is by far the highest level of privileges on a Windows system, and the hackers are achieving this by using the Windows Antimalware Scan Interface.

Security experts warn of impending cyber-risks

If you didn’t already know, AMSI was first introduced with Windows 10 Technical Preview. It actually allows apps and services to request memory buffer scans from any major antivirus product installed on the system.

According to security experts at ESET, this can only be achieved after attackers gain SeImpersonate Privilege rights.

As we mentioned before, these privileges are assigned to users in the local Administrators group and the device’s local Service account to impersonate a client after authentication which should limit the impact of this vulnerability.

On the other hand, Zero Day Initiative stated that cybercriminals are only required to obtain the ability to execute low-privileged code on the target system, which matches ESET’s CVSS severity rating. 

This automatically means that this nasty and dangerous bug can be exploited by malicious third parties with low privileges.

The security experts also published a list that shows the products that are impacted by this vulnerability:

  • ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, and ESET Smart Security Premium from version 10.0.337.1 to
  • ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4
  • ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0
  • ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000
  • ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0
  • ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0
  • ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0

Also very important to take note of is that ESET Server Security for Microsoft Azure users are advised to immediately update to the latest available version of ESET Server Security for Microsoft Windows Server.

The bright side here is that ESET didn’t actually find any evidence of exploits designed to target products affected by this security bug in the wild.

However, this doesn’t mean that we have to ignore the necessary steps to become safe again. Have you ever been the victim of such an elaborate attack?

Share your experience with us in the comments section below.

This article covers:Topics: