Baget Exploit 2021

The Baguette Exploit

The year was 2021. The world was still working from home, relying heavily on cloud infrastructure, and the digital realm had never been more fragile. It was in this environment that the cybersecurity community stumbled upon one of the most peculiar and far-reaching vulnerabilities in history: .

• Jan 2022: Public disclosure, exploit PoC released within hours.
• Feb–Mar 2022: Incorporated into Metasploit (exploit/linux/local/polkit_pkexec).
• 2023: Observed in cryptojacking botnets (e.g., "Migo", "Outlaw") and ransomware pre-attack reconnaissance.
• 2024–2025: Still seen on unpatched IoT devices, older enterprise servers, and container hosts.

Report Date:

2026-04-19 Vulnerability Discovered: 2021 (Public Disclosure: January 25, 2022) Exploit Name: BAGET (also known as PwnKit, pkexec LPE) Affected Component: pkexec – part of PolicyKit (Polkit) CVSS Score: 7.8 (High) – AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H baget exploit 2021

1. Creates a legitimate process in a suspended state (e.g., C:\Windows\System32\notepad.exe).
2. Unmaps the original code of notepad.exe.
3. Writes the decrypted RAT into the memory space of notepad.exe.
4. Resumes the thread.

: A central computer used in the modernization of the MiG-31BM aircraft, though this is a hardware component and not typically associated with a 2021 "exploit" trend. The Baguette Exploit The year was 2021

5.2 Remediation Steps

For system administrators looking back or dealing with legacy infections, the following indicators of compromise (IoCs) were associated with the Baget Exploit in 2021: Jan 2022 : Public disclosure, exploit PoC released