<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ProtonVPN V4.4.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/protonvpn-v4.4.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 14:03:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/protonvpn-v4.4.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>ProtonVPN v4.4.1 Unquoted Service Path Vulnerability with Public Exploit</title><link>https://feed.craftedsignal.io/briefs/2026-07-protonvpn-unquoted-path/</link><pubDate>Tue, 07 Jul 2026 14:03:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-protonvpn-unquoted-path/</guid><description>A local privilege escalation vulnerability (Unquoted Service Path) in ProtonVPN v4.4.1 has a public exploit, allowing a local attacker to execute arbitrary code with 'LocalSystem' privileges by placing a malicious executable in a specific directory, which is then launched by the vulnerable 'ProtonVPN Wireguard' service upon startup or restart.</description><content:encoded><![CDATA[<p>A public local privilege escalation exploit has been published on Exploit-DB for ProtonVPN version 4.4.1, leveraging an Unquoted Service Path vulnerability. This flaw specifically affects the 'ProtonVPN Wireguard' service on Windows systems, which is configured to run with <code>LocalSystem</code> privileges. The vulnerability arises because the service's executable path, <code>C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe</code>, is not enclosed in quotation marks. This allows a local attacker with write access to the root directory or <code>C:\Program Files (x86)\</code> to insert a malicious executable named <code>Program.exe</code> or <code>Proton.exe</code> respectively. Upon the next service start or system reboot, the operating system will incorrectly execute the attacker's binary instead of the legitimate ProtonVPN service, granting the attacker <code>LocalSystem</code> privileges. The availability of a working exploit (EDB-52624) significantly elevates the risk for unpatched systems, particularly those tested on Windows 10 Pro x64.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A local attacker gains initial access to a vulnerable Windows system with ProtonVPN v4.4.1 installed.</li>
<li>The attacker identifies the 'ProtonVPN Wireguard' service and its unquoted <code>BINARY_PATH_NAME</code>: <code>C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe</code>.</li>
<li>Leveraging the unquoted path vulnerability, the attacker places a malicious executable named <code>Program.exe</code> into the <code>C:\</code> directory.</li>
<li>The attacker waits for the system to reboot, or manually triggers a restart of the 'ProtonVPN Wireguard' service.</li>
<li>During service startup, the Windows Service Control Manager attempts to resolve the service's binary path. Due to the unquoted path, it incorrectly executes <code>C:\Program.exe</code> instead of the intended ProtonVPN binary.</li>
<li>The malicious <code>Program.exe</code> is executed with the privileges of the 'ProtonVPN Wireguard' service, which are <code>LocalSystem</code>.</li>
<li>The attacker's arbitrary code gains <code>LocalSystem</code> privileges, achieving full system control and local privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of this unquoted service path vulnerability allows a local attacker to escalate their privileges to <code>LocalSystem</code>, which is the highest privilege level on a Windows operating system. This grants the attacker complete control over the compromised system, enabling them to install persistent backdoors, deploy additional malware (such as ransomware or infostealers), modify system configurations, create new administrative users, or exfiltrate sensitive data without restriction. Organizations running ProtonVPN v4.4.1 on unpatched Windows endpoints are at risk of lateral movement and full system compromise if an attacker achieves local access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update ProtonVPN to the latest secure version to patch the unquoted service path vulnerability. Refer to the vendor's official channels for guidance.</li>
<li>Deploy the Sigma rule &quot;Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)&quot; provided in this brief to your SIEM solution to detect attempts to exploit this vulnerability.</li>
<li>Ensure Sysmon process creation logging is enabled on all Windows endpoints to ensure the &quot;Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)&quot; rule can collect necessary telemetry.</li>
<li>Implement strong access controls and principle of least privilege to restrict write access to the root directory (<code>C:\</code>) and <code>C:\Program Files (x86)\</code> to prevent malicious binary placement.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>windows</category><category>vulnerability</category></item></channel></rss>