Exploit Report: CVE-2021-4034 – "BAGET / PwnKit"

Report Date: 2026-04-19
Vulnerability Discovered: 2021 (Public Disclosure: January 25, 2022)
Exploit Name: BAGET (also known as PwnKit, pkexec LPE)
Affected Component: pkexec – part of PolicyKit (Polkit)
CVSS Score: 7.8 (High) – AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Recommended Defenses (Post-Baget):

  1. Enable AMSI (Anti-Malware Scan Interface): AMSI allows applications and services to integrate with any antimalware product. PowerShell and .NET scripts used by Baget would be scanned in memory before execution.

  2. Restrict .NET Code Execution: Use Windows Defender Application Control (WDAC) or AppLocker to prevent unsigned .NET assemblies from running in user directories.

  3. Deploy Endpoint Detection and Response (EDR): EDR solutions like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint detect process hollowing and anomalous parent-child process relationships (e.g., winword.exe spawning notepad.exe which spawns cmd.exe).

  4. User Awareness Training: At its core, Baget relied on a user clicking an infected attachment. Simulated phishing campaigns teaching users to verify unexpected invoices or shipping notices remain the most effective control.

  5. Network Segmentation & TLS Inspection: Because Baget used encrypted C2 channels, organizations needed SSL inspection proxies to decrypt and inspect outbound HTTPS traffic for malicious domains.

6.4 EDR Alerts

Many EDRs (CrowdStrike, SentinelOne, Defender for Endpoint) detect CVE-2021-4034 as "PolkitPrivilegeEscalation" or similar.

Q4 2021: The Decline

By late 2021, Microsoft’s Defender began using machine learning-based heuristics (specifically, the "Behavior:Win32/Baget" detection tag). Combined with the takedown of several command-and-control (C2) infrastructure providers, the Baget Exploit usage declined, though mutated descendants remain active today.

Part 1: What Was the Baget Exploit? A Terminology Clarification

To understand the Baget Exploit, we must first clarify what it was not. In 2021, major vendors like Microsoft patched genuine zero-day exploits (e.g., PrintNightmare, ProxyLogon). Baget utilized none of those. Instead, Baget was a .NET-based crypter that exploited human trust and security software limitations rather than a specific CVE.

However, the community dubbed it the "Baget Exploit" because it effectively exploited the gap between signature-based detection and polymorphic code. The developer(s) of Baget sold it on underground forums as a "FUD builder." For a subscription fee (often paid in Bitcoin or Monero), a user could feed any malicious .exe into the Baget builder. The builder would then output a mutated, encrypted, and packed executable that had a 0% detection rate on VirusTotal.

Detection checklist

  1. Scan webroot for recently added executable files in typical upload folders: look for .php, .phtml, .php5 files.
  2. Review webserver access logs for POSTs to upload endpoints and subsequent GETs to uploaded filenames.
  3. Use signatures from PoCs (filenames/timestamp patterns) where available.
  4. Run unauthenticated scans against the application with authenticated endpoints emulated to confirm upload handling.

6.3 YARA/Signature

Process creation chain:
unpriv_user → pkexec → /bin/sh -c "arbitrary command"

Part 2: The Timeline – Rise of the Baget Exploit in 2021