CVE-2019-25310
📋 TL;DR
ActiveFax Server 6.92 Build 0316 has an unquoted service path vulnerability in its ActiveFaxServiceNT service. This allows local attackers with write access to system directories to place malicious executables that will be executed with administrative privileges when the service starts. Only systems running the vulnerable ActiveFax Server version are affected.
💻 Affected Systems
- ActiveFax Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with SYSTEM/administrative privileges, leading to complete control of the affected server.
Likely Case
Local privilege escalation where an authenticated user gains administrative privileges on the system.
If Mitigated
No impact if proper access controls prevent unauthorized users from writing to system directories.
🎯 Exploit Status
Exploit requires local access and ability to write to a directory in the system path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions of ActiveFax Server
Vendor Advisory: https://www.actfax.com/
Restart Required: Yes
Instructions:
1. Upgrade to a newer version of ActiveFax Server. 2. Alternatively, manually edit the service path to include quotes around the executable path. 3. Restart the ActiveFaxServiceNT service.
🔧 Temporary Workarounds
Quote Service Path
windowsManually add quotes around the service executable path in Windows Registry
sc config ActiveFaxServiceNT binPath= "\"C:\Program Files\ActiveFax\ActiveFaxServiceNT.exe\""
Restrict Directory Permissions
windowsSet strict permissions on directories in the system PATH to prevent unauthorized writes
icacls "C:\Program Files\ActiveFax" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing to directories in the system PATH
- Monitor for unauthorized file creation in system directories and service-related registry changes
🔍 How to Verify
Check if Vulnerable:
Check if ActiveFaxServiceNT service path is unquoted: sc qc ActiveFaxServiceNT | findstr BINARY_PATH_NAMECheck Version:
Check ActiveFax Server version in program files directory or via installed programs listVerify Fix Applied:
Verify service path now has quotes: sc qc ActiveFaxServiceNT | findstr BINARY_PATH_NAME should show quotes around the executable path📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts of ActiveFaxServiceNT
- File creation events in system directories by non-admin users
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%ActiveFaxServiceNT%' AND CommandLine NOT CONTAINS '"'