CVE-2019-25345
📋 TL;DR
CVE-2019-25345 is an unquoted service path vulnerability in Realtek IIS Codec Service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the unquoted service path to achieve privilege escalation. This affects systems running Realtek IIS Codec Service version 6.4.10041.133.
💻 Affected Systems
- Realtek IIS Codec Service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via local privilege escalation to SYSTEM/root, enabling complete control over the affected system, lateral movement, and persistence.
Likely Case
Local attackers gain elevated privileges to install malware, steal credentials, or pivot to other systems on the network.
If Mitigated
Limited impact with proper endpoint protection, least privilege principles, and monitoring that detects unusual service execution.
🎯 Exploit Status
Exploitation requires local access to the system. Public exploit code is available on Exploit-DB (47642).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Realtek for updated drivers/software
Vendor Advisory: https://www.realtek.com/en/
Restart Required: Yes
Instructions:
1. Visit Realtek's official website. 2. Download and install the latest audio drivers/software. 3. Restart the system to apply changes. 4. Verify the service path is properly quoted.
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the service configuration to use quoted paths
sc config "Realtek IIS Codec Service" binPath="\"C:\Program Files\Realtek\Audio\IISCodec\RTKIISCodec.exe\""
Restrict Service Permissions
windowsSet strict ACLs on the service and installation directory
icacls "C:\Program Files\Realtek\Audio\IISCodec" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Disable the Realtek IIS Codec Service if not required
- Implement strict endpoint detection and response (EDR) to monitor for suspicious service execution
🔍 How to Verify
Check if Vulnerable:
Run: sc qc "Realtek IIS Codec Service" and check if BINARY_PATH_NAME contains unquoted spacesCheck Version:
Check service properties or Realtek audio driver version in Device ManagerVerify Fix Applied:
Verify service path is quoted: sc qc "Realtek IIS Codec Service" | findstr /i "binary_path_name"📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (7036, 7040, 7045) showing service path modifications
- Process creation from unusual locations in the Realtek directory
Network Indicators:
- No direct network indicators - this is a local exploit
SIEM Query:
EventID=7045 AND ServiceName="Realtek IIS Codec Service" OR ProcessName="RTKIISCodec.exe" AND ProcessPath contains spaces without quotes