CVE-2021-1732 Windows 0-Day Threat Intel Advisory

CloudSEK threat intelligence advisory on CVE-2021-1732 zero-day vulnerability that targets Windows infrastructure.
Updated on
April 19, 2023
Published on
February 26, 2021
Subscribe to the latest industry news, threats and resources.
Vulnerability Intelligence
Vulnerability Type
Privilege Escalation
7.8 High Risk
Windows 10 & Windows Server 2019


Executive Summary

CVE-2021-1732 is a local privilege escalation zero-day vulnerability, that is leveraged by an APT in their ongoing campaigns targeting Windows infrastructure. The attacker exploits a memory bug in the Windows kernel leading to privilege elevation and code execution on the target machine. 

Technical Details

CVE-2021-1732 exists as a result of a memory corruption bug in one of the components (Win32K) in the Windows kernel; upon exploitation, it may trigger out-of-bounds access. Successful exploitation of the bug will give the attacker the ability to obtain System Token that grants the highest privilege to any process in Windows environment leading to potential escalation of privilege from normal user to kernel level which is equivalent to a root user in Linux. The malicious actor pairs this vulnerability with RCE to execute commands on the system with elevated privileges.

Very recently, reports emerged about an APT group dubbed Bitter APT that exploited this bug in their campaigns using the 0-day exploit code.

Affected Platforms

The table given below summarises affected Windows platforms and the respective build versions:

Windows Platform
Build Version
Windows 10 20H2, 1507, 1511,1607, 1703,1709,1803,1809,1903,1909,2004
Windows Server 2019 20H2,1909,2004


  • System level privilege is the highest privilege in Windows OS, a process with system privilege can have read/ write access for any assets in the environment.
  • Only an authenticated attacker can run arbitrary code with elevated privileges.
  • Client-side vulnerabilities can be paired with this vulnerability via social engineering, to compromise the victim.


MSRC has rolled out patches in their latest release of Patch Tuesday (February 09 2021):

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations