{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/argus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2021-47945"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Surveillance DVR 4.0"],"_cs_severities":["high"],"_cs_tags":["unquoted-service-path","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Argus"],"content_html":"\u003cp\u003eArgus Surveillance DVR 4.0 is vulnerable to an unquoted service path vulnerability (CVE-2021-47945) affecting the DVRWatchdog service. This flaw allows a local attacker to achieve privilege escalation on the system. By exploiting the lack of proper quoting in the service\u0026rsquo;s executable path, a malicious actor can insert a rogue executable into a directory along the service\u0026rsquo;s path, typically within the \u0026lsquo;Program Files\u0026rsquo; directory. Upon service restart, the operating system may inadvertently execute the attacker\u0026rsquo;s malicious code instead of the intended legitimate binary, effectively granting the attacker LocalSystem privileges. This vulnerability poses a significant risk to systems where Argus Surveillance DVR 4.0 is installed, as it allows for unauthorized access and control over the affected machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the unquoted service path vulnerability in the DVRWatchdog service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious executable in a directory that precedes the actual service executable in the unquoted path (e.g., \u003ccode\u003eC:\\Program Files\\Argus\\DVRWatchdog.exe\u003c/code\u003e is vulnerable, attacker places \u003ccode\u003eC:\\Program.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a restart of the DVRWatchdog service. This can be achieved through various methods, such as using the \u003ccode\u003eservices.msc\u003c/code\u003e management console, PowerShell commands, or by restarting the entire system.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to execute the DVRWatchdog service using the unquoted path. Due to the lack of quotes, the OS misinterprets the path and executes the attacker\u0026rsquo;s malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with LocalSystem privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker now has elevated privileges and can perform arbitrary actions on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to escalate their privileges to LocalSystem. This grants the attacker complete control over the affected system, enabling them to install software, modify data, create new accounts with full administrative rights, and perform other malicious activities. Given the nature of surveillance DVR systems, attackers may also gain access to sensitive video and audio recordings, potentially leading to privacy breaches and further exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Argus Surveillance DVR that addresses CVE-2021-47945 if available.\u003c/li\u003e\n\u003cli\u003eEnclose the service path in quotes to prevent exploitation of the unquoted service path vulnerability. This can be achieved by modifying the service configuration using \u003ccode\u003esc.exe config \u0026quot;DVRWatchdog\u0026quot; binPath= \u0026quot;\\\u0026quot;C:\\Program Files\\Argus\\DVR\\DVRWatchdog.exe\\\u0026quot;\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for process creations from unusual locations within the Program Files directory using the Sigma rule \u003ccode\u003eDetect Suspicious Process Creation in Program Files\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability of local users to write files to system directories like \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:21:39Z","date_published":"2026-05-10T13:21:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-argus-dvr-unquoted-path/","summary":"Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service (CVE-2021-47945), enabling local attackers to escalate privileges by placing a malicious executable in the Program Files directory to be executed as LocalSystem.","title":"Argus Surveillance DVR Unquoted Service Path Vulnerability (CVE-2021-47945)","url":"https://feed.craftedsignal.io/briefs/2026-05-argus-dvr-unquoted-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Argus","version":"https://jsonfeed.org/version/1.1"}