HIGH 8.2

CVE-2021-4480: Dräger Protector Software Local Privilege Escalation Vulnerability

Dräger Protector Software before version 6.4.2 has a local privilege escalation flaw rooted in overly permissive file system permissions. An attacker with local access to an affected system can replace critical binaries or loaded modules, then trigger execution with NT SYSTEM privileges—the highest level of access on Windows. This gives an adversary complete control over the host.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
Weaknesses (CWE)
CWE-732
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with elevated privileges. Attackers can replace binaries or loaded modules on the host system to execute code with NT SYSTEM privileges.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2021-4480 is a CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerability in Dräger Protector Software. The weakness stems from inadequate file system access controls on binaries and modules loaded during application runtime. An unauthenticated local user can exploit this by substituting legitimate executables or dynamic libraries with malicious code. Upon the next invocation or module load, the attacker's payload executes under NT SYSTEM context, bypassing normal privilege boundaries. The CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H) reflects the local attack surface, low complexity, no prior authentication requirement, and significant impact on system integrity and availability across trust boundaries.

Business impact

This vulnerability poses a severe risk in Dräger-dependent environments, particularly medical device networks and critical infrastructure where Protector Software provides system protection or monitoring. Successful exploitation results in complete system compromise—an attacker can disable security controls, install persistence mechanisms, corrupt data, or disrupt operations. Organizations relying on Dräger solutions for patient safety or operational integrity face potential patient harm, regulatory violations, downtime, and reputational damage. The attack requires only local presence but no special privileges, making it feasible for insider threats or post-compromise lateral movement scenarios.

Affected systems

Dräger Protector Software versions prior to 6.4.2 are vulnerable. Verify your installed version against Dräger's product documentation. The vulnerability affects Windows systems running the affected software. Scope of impact depends on how widely Protector Software is deployed across your infrastructure—isolated lab systems versus critical medical or industrial environments carry different risk profiles.

Exploitability

Exploitability is moderate in typical enterprise settings. The attack requires local system access—not remote exploitation—and the user interaction factor (UI:R in the CVSS vector) suggests the victim must trigger an action that loads a compromised module or executes a replaced binary. However, within healthcare or industrial settings where workstations may have shared access or where insider threats are a concern, exploitation becomes more practical. The simplicity of the underlying weakness (file permissions) means no sophisticated tools are needed once an attacker has local foothold.

Remediation

Upgrade Dräger Protector Software to version 6.4.2 or later. This version addresses the insecure file system permissions that enable the privilege escalation. Verify the upgrade path with Dräger's release notes and test in a non-production environment first, especially in regulated environments such as healthcare. Pending patch application, restrict local access to systems running vulnerable versions, disable unnecessary local accounts, and enforce strong authentication on administrative functions.

Patch guidance

Contact Dräger directly or consult their product portal to obtain version 6.4.2 or the latest available release. Verify that your Protector Software version is documented in your IT asset inventory. Plan upgrades during maintenance windows to minimize operational disruption, particularly in production environments. Test patched builds in a staging environment to confirm compatibility with your infrastructure before widespread deployment. Document the upgrade in your change management system and retain evidence of completion for compliance audits.

Detection guidance

Monitor file system access events on systems running Dräger Protector Software, particularly write or replace operations on executable directories and DLL search paths. Look for unsigned or newly created binaries in paths where Protector components reside. Review Windows Event Viewer for privilege escalation events (SYSTEM-level process creation by non-administrative users) coinciding with Protector module loads. Endpoint Detection and Response (EDR) solutions can alert on suspicious binary substitution or anomalous privilege elevation patterns. Baseline your legitimate Protector binary hashes and alert on deviations.

Why prioritize this

Despite the lack of CISA KEV listing and the requirement for local access, this vulnerability merits high priority in healthcare, medical device, and industrial control environments where Dräger software is trusted for critical operations. The simplicity of exploitation (file permission misconfiguration) combined with the severity of impact (SYSTEM privilege execution) and the user interaction factor creates an exploitable condition for insiders or post-compromise attackers. Organizations with Dräger Protector deployed should prioritize patching within their standard update cadence; those in regulated sectors should accelerate timelines.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects a local attack vector with low complexity and no authentication requirement, but moderate exploitability due to user interaction and limited confidentiality impact. The scope change (S:C) acknowledges that successful exploitation can affect other security domains or processes on the same host. The high integrity (I:H) and availability (A:H) ratings recognize the attacker's ability to execute arbitrary code and disrupt system functionality. This score appropriately positions the vulnerability as a serious but not critical flaw, balanced by its local-only nature.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2021-4480 is a local privilege escalation flaw requiring an attacker or malicious user already present on the system. It cannot be exploited over a network.

Is this vulnerability currently being exploited in the wild?

This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the simplicity of the underlying issue (insecure file permissions) means it could be abused in targeted attacks, particularly in healthcare or industrial environments. Verify with Dräger and your security intelligence sources.

What should I do if I cannot upgrade immediately?

Implement compensating controls: restrict local access to affected systems, disable local user accounts where possible, enforce strong authentication on administrative functions, and monitor file system changes on critical binaries. Upgrade as soon as your change management and testing process allows.

Are older versions of Dräger Protector affected?

Yes, all versions prior to 6.4.2 are vulnerable. If you are running any version below 6.4.2, you should plan an upgrade. Check Dräger's product advisory for version-specific migration guidance if you are multiple versions behind.

This analysis is provided for informational purposes and based on publicly available CVE data and vendor advisories. SEC.co makes no warranty regarding the completeness or timeliness of this information. Organizations must verify all version numbers, patch availability, and compatibility against official Dräger documentation and conduct their own risk assessment. This vulnerability requires local access and does not appear in CISA's KEV catalog as of the publication date; threat landscape changes over time. Test all patches in non-production environments before deployment. Consult your vendor and security team before taking action in regulated environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).