{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-47974/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2021-47974"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VX Search","VX Search Server","VX Search Enterprise"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","unquoted service path","cve-2021-47974"],"_cs_type":"advisory","_cs_vendors":["Flexense"],"content_html":"\u003cp\u003eVX Search 13.5.28 contains an unquoted service path vulnerability (CVE-2021-47974) affecting both VX Search Server and VX Search Enterprise services. This vulnerability allows a local attacker to escalate privileges to LocalSystem. The vulnerability exists due to the lack of proper quoting around the service executable path, allowing for arbitrary code execution. Successful exploitation requires placing a malicious executable in a directory along the service path. This issue was reported on May 16, 2026. Defenders should ensure the service path is properly quoted or upgrade to a patched version if available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the system with a low-privilege account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the unquoted service path for VX Search Server or VX Search Enterprise (e.g., C:\\Program Files\\VX Search).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious executable (e.g., C:\\Program.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious executable in the first directory in the unquoted service path (e.g., C:\\Program Files\\VX Search\\VXSearchService.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker restarts the VX Search service, either directly or by rebooting the system.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to execute the service, but due to the unquoted path, it first executes the malicious executable (C:\\Program.exe) with LocalSystem privileges.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as creating new administrator accounts or installing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker now has elevated privileges and can perform arbitrary actions on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to gain complete control of the affected system, due to arbitrary code execution as SYSTEM. This can lead to data theft, system compromise, and potentially lateral movement within the network. Given the nature of VX Search, which is used for file indexing and searching, successful exploitation could also compromise sensitive data stored on the system or network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnclose the service path in double quotes to prevent the operating system from misinterpreting the path (reference CVE-2021-47974).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for executables running from unusual paths, especially those matching the prefix of \u0026ldquo;C:\\Program Files\u0026quot; using the Sigma rule \u003ccode\u003eDetect Unquoted Service Path Exploitation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict who can write to directories in the service path.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit service configurations for unquoted paths.\u003c/li\u003e\n\u003cli\u003eConsider using application control solutions to prevent unauthorized executables from running.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:21:44Z","date_published":"2026-05-16T16:21:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vxsearch-privesc/","summary":"VX Search 13.5.28 is vulnerable to an unquoted service path vulnerability (CVE-2021-47974) in both VX Search Server and VX Search Enterprise services, allowing local attackers to escalate privileges by placing malicious executables in unquoted path directories.","title":"VX Search Unquoted Service Path Privilege Escalation (CVE-2021-47974)","url":"https://feed.craftedsignal.io/briefs/2026-05-vxsearch-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2021-47974","version":"https://jsonfeed.org/version/1.1"}