CVE-2021-47787 – CVE-2021-47787 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2021-47787?

CVE-2021-47787 has a CVSS score of 7.8 (HIGH). CVE-2021-47787 is an unquoted service path vulnerability in TotalAV antivirus software that allows attackers with local access to place malicious executables in specific unquoted path segments. When exploited, this can lead to privilege escalation to SYSTEM-level access. Users running TotalAV 5.15.69 on Windows systems are affected.

📋 TL;DR

CVE-2021-47787 is an unquoted service path vulnerability in TotalAV antivirus software that allows attackers with local access to place malicious executables in specific unquoted path segments. When exploited, this can lead to privilege escalation to SYSTEM-level access. Users running TotalAV 5.15.69 on Windows systems are affected.

💻 Affected Systems

Products:

TotalAV Antivirus

Versions: 5.15.69

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects multiple system services running with LocalSystem privileges. The vulnerability exists in the service path configuration where paths containing spaces are not properly quoted.

📦 What is this software?

Totalav by Totalav

View all CVEs affecting Totalav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level compromise of the Windows host, allowing complete control over the system, installation of persistent malware, credential theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation from a lower-privileged user account to SYSTEM, enabling installation of additional malware, disabling security controls, or accessing sensitive system resources.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from writing to system directories and if endpoint detection is monitoring for suspicious service behavior.

🌐 Internet-Facing: LOW - This vulnerability requires local access to the system and cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Attackers with initial access to a local user account (through phishing, malware, or other means) can exploit this to escalate privileges and compromise the entire system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to write to specific directories in the service path. Proof-of-concept code is publicly available on Exploit-DB.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 5.15.69

Vendor Advisory: https://www.totalav.com

Restart Required: Yes

Instructions:

1. Update TotalAV to the latest version. 2. Restart the system to ensure updated services are running. 3. Verify that service paths are properly quoted in the Windows Service configuration.

🔧 Temporary Workarounds

Manually quote service paths

windows

Manually edit the service configuration to add quotes around paths containing spaces

sc config "ServiceName" binPath= "\"C:\Program Files\TotalAV\service.exe\""
sc stop "ServiceName"
sc start "ServiceName"

Restrict directory permissions

windows

Set strict ACLs on directories in the unquoted service path to prevent unauthorized writes

icacls "C:\Program Files\TotalAV" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\TotalAV" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Remove write permissions for non-administrative users on directories in the TotalAV installation path
Monitor for suspicious file creation in TotalAV directories and unexpected service behavior

🔍 How to Verify

Check if Vulnerable:

Check if TotalAV services have unquoted paths containing spaces: sc qc "ServiceName" | findstr BINARY_PATH_NAME

Check Version:

Check TotalAV about section or look at installed programs in Control Panel

Verify Fix Applied:

Verify service paths are quoted and check TotalAV version is greater than 5.15.69

📡 Detection & Monitoring

Log Indicators:

Unexpected service restarts
File creation events in TotalAV directories by non-administrative users
Process creation from unusual locations in service paths

Network Indicators:

Unusual outbound connections from SYSTEM-level processes
DNS queries for command and control domains from svchost.exe or TotalAV processes

SIEM Query:

EventID=4688 AND NewProcessName contains "TotalAV" AND SubjectUserName!=SYSTEM AND ParentProcessName contains "services.exe"

📊 Metadata

CVE ID: CVE-2021-47787

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.02% exploit probability (2.8th percentile)

Published: January 16, 2026

Last Updated: February 9, 2026

🔗 References

https://www.exploit-db.com/exploits/50314 Exploit,Third Party Advisory,VDB Entry
https://www.totalav.com Product
https://www.vulncheck.com/advisories/totalav-unquoted-service-path Third Party Advisory
https://www.exploit-db.com/exploits/50314 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47787, you might also want to check these: