CVE-2021-47823
📋 TL;DR
CVE-2021-47823 is an unquoted service path vulnerability in Acer ePowerSvc that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects Windows systems where the vulnerable Acer software is installed. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- Acer ePowerSvc
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing complete control over the affected system, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Local privilege escalation leading to administrative control of the affected system, enabling further attacks within the network.
If Mitigated
Limited impact if proper access controls prevent local users from writing to vulnerable directories and service paths are properly quoted.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 49900). Attackers need local access and ability to write to a directory in the unquoted service path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version from Acer or remove the software
Vendor Advisory: https://www.acer.com
Restart Required: Yes
Instructions:
1. Check for updates through Acer Care Center or Acer website. 2. Install any available updates for ePowerSvc. 3. Restart the system to apply changes. 4. Alternatively, uninstall Acer ePowerSvc if not needed.
🔧 Temporary Workarounds
Quote Service Path
windowsManually edit the service path to include quotes around the executable path
sc config ePowerSvc binPath= "C:\Program Files\Acer\ePowerSvc\ePowerSvc.exe"
Restrict Directory Permissions
windowsSet restrictive permissions on directories in the unquoted service path
icacls "C:\Program Files\Acer" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove write permissions for non-administrative users on directories in the unquoted service path
- Monitor for suspicious file creation in Acer program directories and service startup events
🔍 How to Verify
Check if Vulnerable:
Check if Acer ePowerSvc service path is unquoted: sc qc ePowerSvc | findstr BINARY_PATH_NAMECheck Version:
Check installed version in Control Panel > Programs and Features or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*ePowerSvc*'}Verify Fix Applied:
Verify service path is quoted: sc qc ePowerSvc should show quotes around the executable path📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installed with unquoted path
- Unexpected file creation in Acer program directories
- Suspicious service startup events
Network Indicators:
- No network indicators - local privilege escalation only
SIEM Query:
EventID=7045 AND ServiceName="ePowerSvc" AND NOT ImagePath LIKE "%""%"