A security researcher has released proof-of-concept exploit code for a critical vulnerability found in the latest versions of Windows 10 and Windows Server.
The vulnerability, tracked as CVE-2021-3166, was first discovered in the HTTP protocol stack (HTTP.sys) used by the Windows Internet Information Services (IIS) web server as a protocol listener to handle HTTP requests BleepingComputer.
To exploit this vulnerability, an attacker would have to send a specially crafted packet to servers that would continue to use the vulnerable HTTP protocol stack to process packets. Fortunately, Microsoft recently fixed the bug as part of its last Patch Tuesday updates. The vulnerability only affects Windows 10 versions 2004 / 20H2 and Windows Server versions 2004 / 20H2.
Because this flaw could allow an unauthenticated attacker to run arbitrary code remotely, Microsoft strongly recommends that organizations patch all affected servers as soon as possible.