{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/legionspace-1.7.11.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LegionSpace (1.7.11.2)"],"_cs_severities":["medium"],"_cs_tags":["unquoted-service-path","privilege-escalation","windows"],"_cs_type":"threat","_cs_vendors":["Lenovo"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability exists in Lenovo LegionSpace version 1.7.11.2 due to an unquoted service path in the \u0026lsquo;DAService\u0026rsquo;. This flaw allows a local attacker to insert arbitrary code into a path within the service\u0026rsquo;s execution path. When the \u0026lsquo;DAService\u0026rsquo; starts, it attempts to execute the program specified in its path. If the path is unquoted and contains spaces, the service may inadvertently execute a malicious program placed in an earlier directory in the path. The exploit, identified as EDB-52570, was published on Exploit-DB on 2026-05-21. Successful exploitation leads to arbitrary code execution with elevated privileges. Lenovo recommends upgrading to version 1.8.12.13 or later to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an unquoted service path for \u0026lsquo;DAService\u0026rsquo;: C:\\Program Files\\Lenovo\\LegionSpace\\1.7.11.2\\LSDaemon.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious executable named \u0026ldquo;Program.exe\u0026rdquo; in C:.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to start the \u0026lsquo;DAService\u0026rsquo;. Due to the unquoted path, the OS parses the path as C:\\Program.exe instead of C:\\Program Files\\Lenovo\\LegionSpace\\1.7.11.2\\LSDaemon.exe.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;Program.exe\u0026rdquo; is executed.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the privileges of the \u0026lsquo;DAService\u0026rsquo;, which is LocalSystem.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform administrative tasks or install malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code with elevated privileges. This can lead to a complete compromise of the affected system, including data theft, malware installation, and denial of service. Given the widespread use of Lenovo LegionSpace software, a significant number of systems are potentially vulnerable if not patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Lenovo LegionSpace to version 1.8.12.13 or later to patch the unquoted service path vulnerability as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unquoted Service Path Exploitation\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring for the creation of files in the root directory with names matching components of the vulnerable service path.\u003c/li\u003e\n\u003cli\u003eRegularly review service configurations for unquoted paths using the \u003ccode\u003ewmic service get name, pathname, displayname, startmode\u003c/code\u003e command.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T13:32:02Z","date_published":"2026-05-21T13:32:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-lenovo-legionspace-unquoted-service-path/","summary":"A local exploit has been published for Lenovo LegionSpace 1.7.11.2, detailing an Unquoted Service Path vulnerability in the 'DAService', potentially leading to local privilege escalation.","title":"Lenovo LegionSpace 1.7.11.2 Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-lenovo-legionspace-unquoted-service-path/"}],"language":"en","title":"CraftedSignal Threat Feed — LegionSpace (1.7.11.2)","version":"https://jsonfeed.org/version/1.1"}