Friday, May 23, 2025
HomeExploitWindows PoC Exploit Released For The Most Critical Wormable RCE in HTTP...

Windows PoC Exploit Released For The Most Critical Wormable RCE in HTTP Protocol Stack

Published on

SIEM as a Service

Follow Us on Google News

Recently cybersecurity researchers has recently discovered a severe vulnerability in the IIS (Internet Information Services) of Windows. Though Microsoft has recently fixed this critical vulnerability in patch Tuesday released in 12 may, and it’s tracked as CVE-2021-31166.

Many security experts and security companies have claimed that this vulnerability is one of the most critical security flaws that have been detected and fixed by Microsoft this month.

HTTP Protocol Stack RCE Vulnerability

This critical flaw (CVE-2021-31166) is akin to corruption of information in the memory of the HTTP protocol stack (HTTP.sys) that is already included in all the recent versions of Windows.

- Advertisement - Google News
  • CVE ID: CVE-2021-31166
  • Assigning CNA: Microsoft
  • Released: May 11, 2021
  • CVSS: 3.0 (9.8 out of 10)

In general, this HTTP Protocol Stack is used by the Windows IIS (Internet Information Services) server, so, the security expert, Axel Souchet, who used to work for Microsoft has explained that if this server is active, then an attacker can easily send it a specially crafted packet to execute malicious code at the OS kernel level.

This security flaw is quite similar to another Microsoft vulnerability that was detected in the HTTP network stack. It was tracked as CVE-2015-1635 and detected or reported by the security experts in 2015.

Moreover, it becomes worse when Microsoft warned that this RCE vulnerability has the potential of a worm, as it can be used by the threat actors to create malware that spreads itself from server to server.

PoC for CVE-2021-31166 triggers Blue Screen of Death (BSOD)

To show the flaw in action the former Microsoft security researcher, Axel Suchet published a PoC exploit for CVE-2021-31166 (“HTTP Protocol Stack Remote Code Execution Vulnerability”).

From the above image, you can see the flaw in action, and how this critical flaw triggers the Blue Screen of Death (BSOD). Here, Axel explains that where the function has a local LIST_ENTRY, this bug happens itself in the “http!UlpParseContentCoding” and then it affix the item to it.

And here the interesting thing is that it does not NULL out the local list (LIST_ENTRY) after it moves it into the Request structure when it is done.

It means that an attacker can easily leave all the entries of the local list in a hanging state in the Request object by triggering the code path that unlocks all the entries of the local list.

Possible targets are safe from attacks

Axel Suchet claimed since the capabilities of the HTTP Protocol Stack RCE flaw are artificially limited, so, it is likely that most of the potential targets are safe from such attacks.

While this security flaw only affects the newest OS versions like Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, and all these versions are not yet very widespread.

Moreover, the vulnerability CVE-2021-31166 does not allow the formulation of a full-fledged worm, and it only leads to a “crash” (DoS) of unpatched Windows versions that are running the IIS server.

But, apart from all these things, the security team at Microsoft has strongly recommended all its users to install all the security updates published on an immediate basis.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PoC Exploit Published for macOS Sandbox Escape Vulnerability (CVE-2025-31258)

Security researchers have disclosed a new macOS sandbox escape vulnerability tracked as CVE-2025-31258, accompanied...

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target...

Researcher Exploits Regex Filter Flaw ...

Target application included a username field restricted by a frontend regex filter (/^{1,20}$/), designed...