Advisory Details

September 2nd, 2021

Microsoft Windows Lock Screen Improper Access Control Authentication Bypass Vulnerability

ZDI-21-1053
ZDI-CAN-13692

CVE ID CVE-2021-26431
CVSS SCORE 6.8, (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Windows
VULNERABILITY DETAILS

This vulnerability allows physically present attackers to bypass authentication on affected installations of Microsoft Windows. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the lock screen. The issue results from the lack of proper access control prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26431
DISCLOSURE TIMELINE
  • 2021-06-30 - Vulnerability reported to vendor
  • 2021-09-02 - Coordinated public release of advisory
CREDIT Abdelhamid Naceri (halov)
BACK TO ADVISORIES