Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.
From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)
Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.
In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.
This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:
- Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
- Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
- Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.
Bryan Cheng
- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant
Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.
- PCI certification: securevectors.com
- SecuCollab collaborating service: secucollab.com
- SecuCompliance management program: www.secucompliance.com
You might also like
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2025/10/ENG-1-scaled.jpg?fit=2560%2C1919&ssl=1
1919
2560
Andrew
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
Andrew2025-10-21 14:10:182025-10-22 14:34:49Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2025/07/en-scaled.jpg?fit=2560%2C1919&ssl=1
1919
2560
Andrew
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
Andrew2025-07-15 11:28:552025-07-15 13:48:26🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2024/05/PCI-DSS-v4.0-%E6%84%8F%E8%B1%A1%E5%9C%96-%E6%96%B9%E7%89%88.jpg?fit=960%2C663&ssl=1
663
960
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2024-06-23 18:33:272024-08-29 16:28:28Who need PCI DSS Compliance?
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2024/06/News-0830.png?fit=838%2C628&ssl=1
628
838
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2024-06-23 14:40:452025-05-20 10:55:51PCI DSS Compliance for dummies
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2024/06/PCI-DSS-SAQ-type_EN.png?fit=2882%2C2122&ssl=1
2122
2882
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2024-06-21 18:15:032025-07-18 15:42:11What is your SAQ Type?
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2023/12/PCI-DSS-v4.0-%E6%84%8F%E8%B1%A1%E5%9C%96-%E6%96%B9%E7%89%88_EN.jpg?fit=960%2C663&ssl=1
663
960
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2023-09-15 16:00:522024-09-08 10:48:18How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2023/08/2023-08-01-%E6%BC%8F%E6%B4%9E%E4%BF%AE%E8%A3%9C%E6%84%8F%E8%B1%A1%E5%9C%96-%E6%96%B9%E7%89%88_En.jpg?fit=960%2C720&ssl=1
720
960
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2023-08-15 17:43:242024-09-08 10:48:28[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2023/07/20230725-EN-%E6%96%B9%E7%89%88.jpg?fit=1280%2C960&ssl=1
960
1280
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2023-07-31 11:01:212023-07-31 11:02:29【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?
https://i0.wp.com/www.securevectors.com/wp-content/uploads/2021/10/Immediate-Response-Required-Windows-1011-CVE-2021-36934-Security-Vulnerabilities.png?fit=1200%2C628&ssl=1
628
1200
arthur.li
https://www.securevectors.com/wp-content/uploads/2024/02/logo.svg
arthur.li2021-10-13 17:53:542021-11-01 11:38:53Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.
