Threat Advisory: CVE-2021-31166 Windows Remote Code Execution Vulnerability

Just when you thought you had seen the worst 2021 could throw at you…

We are barely approaching the middle of the year and not a month has gone by without a major cybersecurity incident making headlines. Just yesterday we published a blog on the ransomware attack on Colonial Pipeline and multiple other attacks were profiled on healthcare systems 

As part of our partnership with Microsoft, Blue Hexagon is monitoring an issue that could have been potentially more severe than the MS Exchange incident earlier in the year, if it was not for the fact that it was detected internally at Microsoft and patches released before being discovered in the wild. 

CVE-2021-31166 is on HTTP Protocol Stack that could lead to remote code execution. It is also potentially wormable

Less than a day ago, we had raised concerns on the importance of timely detection being an unsolved problem at scale for the cybersecurity industry. Two years ago, our CTO wrote (somewhat hyperbolically) about a world in which every attack was a zero-day. While this is not strictly the definition of a zero-day, it is true that millions of never seen before malicious code variants are created every single day each going after well-known unpatched or yet unknown zero-day vulnerabilities. In case of vulnerabilities like CVE-2021-31166, an attack that can be weaponized easily. 

We have previously discussed how combining automation and AI-based predictions could help turn the tide. However, prevention technologies are still largely signature-based and Network Detection and Response technology is not widely deployed yet. With broader adoption of AI, Automation, and NDR we will stand a better chance at defending against unknown attacks going after newly discovered or unknown CVEs. 

This latest issue just reiterates the need to treat every vulnerability as a Zero Day issue in terms of prioritization and handling when it comes to deployment, protection, and scale. Given the ease with which this vulnerability can be weaponized and the version of operating systems affected, network-wide visibility and detection that handles unknown malicious code is critical.

To exploit this vulnerability, in most situations, an unauthenticated attacker can send a specially crafted packet to a targeted server.

At this point, no known reports of an exploit in the wild exist, but as Microsoft has called out, the ability to weaponize this attack is very high. Immediate patching is recommended and Windows/IIS administrators should be monitoring logs/activities for unusual activities.

Two possible manifestations of this attack could lead to a RCE with kernel privileges or a denial-of-service (DoS) attack.

Microsoft Windows Versions Affected by CVE-2021-31166

Windows 10 2004 and 20H2 and Windows Server 2004 and 20H2. 

Blue Hexagon has currently released a silent deep learning model to keep a check on possible exploitations in the wild. 

What you should do

Patching this vulnerability should be on top of the list. Additionally, while in-the-wild attacks are still unknown, it is prudent to keep an eye on (especially on HTTP transactions) coming into the organization to affected software versions as well as command and control and east-west traffic for suspicious communications and/or malware since this is a wormable vulnerability. 

Questions? How to Contact Blue Hexagon Threat Experts

If you have any questions or need assistance about this threat and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at  or online at and let us know how we can help and get in touch with you.

PS: You may like to bookmark this blog post for future reference as we continue to add further research on this threat.

Additional Resources:

You may like to also read related threat advisories and research:

Ransomware Families and Variants are in Abundance

5 Takeaways from the Colonial Pipeline Ransomware Attack