{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/protonvpn-v4.4.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ProtonVPN v4.4.1"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Proton Technologies"],"content_html":"\u003cp\u003eA public local privilege escalation exploit has been published on Exploit-DB for ProtonVPN version 4.4.1, leveraging an Unquoted Service Path vulnerability. This flaw specifically affects the 'ProtonVPN Wireguard' service on Windows systems, which is configured to run with \u003ccode\u003eLocalSystem\u003c/code\u003e privileges. The vulnerability arises because the service's executable path, \u003ccode\u003eC:\\Program Files (x86)\\Proton Technologies\\ProtonVPN\\ProtonVPN.WireGuardService.exe\u003c/code\u003e, is not enclosed in quotation marks. This allows a local attacker with write access to the root directory or \u003ccode\u003eC:\\Program Files (x86)\\\u003c/code\u003e to insert a malicious executable named \u003ccode\u003eProgram.exe\u003c/code\u003e or \u003ccode\u003eProton.exe\u003c/code\u003e respectively. Upon the next service start or system reboot, the operating system will incorrectly execute the attacker's binary instead of the legitimate ProtonVPN service, granting the attacker \u003ccode\u003eLocalSystem\u003c/code\u003e privileges. The availability of a working exploit (EDB-52624) significantly elevates the risk for unpatched systems, particularly those tested on Windows 10 Pro x64.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains initial access to a vulnerable Windows system with ProtonVPN v4.4.1 installed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the 'ProtonVPN Wireguard' service and its unquoted \u003ccode\u003eBINARY_PATH_NAME\u003c/code\u003e: \u003ccode\u003eC:\\Program Files (x86)\\Proton Technologies\\ProtonVPN\\ProtonVPN.WireGuardService.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLeveraging the unquoted path vulnerability, the attacker places a malicious executable named \u003ccode\u003eProgram.exe\u003c/code\u003e into the \u003ccode\u003eC:\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker waits for the system to reboot, or manually triggers a restart of the 'ProtonVPN Wireguard' service.\u003c/li\u003e\n\u003cli\u003eDuring service startup, the Windows Service Control Manager attempts to resolve the service's binary path. Due to the unquoted path, it incorrectly executes \u003ccode\u003eC:\\Program.exe\u003c/code\u003e instead of the intended ProtonVPN binary.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eProgram.exe\u003c/code\u003e is executed with the privileges of the 'ProtonVPN Wireguard' service, which are \u003ccode\u003eLocalSystem\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's arbitrary code gains \u003ccode\u003eLocalSystem\u003c/code\u003e privileges, achieving full system control and local privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of this unquoted service path vulnerability allows a local attacker to escalate their privileges to \u003ccode\u003eLocalSystem\u003c/code\u003e, which is the highest privilege level on a Windows operating system. This grants the attacker complete control over the compromised system, enabling them to install persistent backdoors, deploy additional malware (such as ransomware or infostealers), modify system configurations, create new administrative users, or exfiltrate sensitive data without restriction. Organizations running ProtonVPN v4.4.1 on unpatched Windows endpoints are at risk of lateral movement and full system compromise if an attacker achieves local access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update ProtonVPN to the latest secure version to patch the unquoted service path vulnerability. Refer to the vendor's official channels for guidance.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)\u0026quot; provided in this brief to your SIEM solution to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process creation logging is enabled on all Windows endpoints to ensure the \u0026quot;Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)\u0026quot; rule can collect necessary telemetry.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to restrict write access to the root directory (\u003ccode\u003eC:\\\u003c/code\u003e) and \u003ccode\u003eC:\\Program Files (x86)\\\u003c/code\u003e to prevent malicious binary placement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T14:03:21Z","date_published":"2026-07-07T14:03:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-protonvpn-unquoted-path/","summary":"A local privilege escalation vulnerability (Unquoted Service Path) in ProtonVPN v4.4.1 has a public exploit, allowing a local attacker to execute arbitrary code with 'LocalSystem' privileges by placing a malicious executable in a specific directory, which is then launched by the vulnerable 'ProtonVPN Wireguard' service upon startup or restart.","title":"ProtonVPN v4.4.1 Unquoted Service Path Vulnerability with Public Exploit","url":"https://feed.craftedsignal.io/briefs/2026-07-protonvpn-unquoted-path/"}],"language":"en","title":"CraftedSignal Threat Feed - ProtonVPN V4.4.1","version":"https://jsonfeed.org/version/1.1"}