CVE-2021-47825
📋 TL;DR
CVE-2021-47825 is an unquoted service path vulnerability in Acer Updater Service that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects Windows systems running Acer Updater Service version 1.2.3500.0. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Acer Updater Service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges leading to complete control over the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM-level access on compromised machines, enabling persistence and further exploitation.
If Mitigated
Limited impact with proper endpoint protection, least privilege principles, and monitoring in place to detect suspicious service path modifications.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest Acer Updater Service version
Vendor Advisory: https://www.acer.com/ac/en/US/content/home
Restart Required: Yes
Instructions:
1. Visit Acer support website. 2. Download latest Acer Updater Service. 3. Install the update. 4. Restart the system.
🔧 Temporary Workarounds
Add quotes to service path
windowsManually add quotes around the service path in Windows Registry to prevent path interception
sc config "Acer Updater Service" binPath="\"C:\Program Files\Acer\Acer Updater\UpdaterService.exe\""
Remove vulnerable service
windowsUninstall Acer Updater Service if not required
sc delete "Acer Updater Service"
Uninstall via Programs and Features
🧯 If You Can't Patch
- Restrict local access to vulnerable systems and implement strict endpoint monitoring
- Apply principle of least privilege and monitor for suspicious service path modifications
🔍 How to Verify
Check if Vulnerable:
Check if Acer Updater Service version 1.2.3500.0 is installed and has unquoted service path: sc qc "Acer Updater Service"Check Version:
Check file properties of C:\Program Files\Acer\Acer Updater\UpdaterService.exeVerify Fix Applied:
Verify service path is quoted in Registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\Acer Updater Service" /v ImagePath📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications
- Unexpected executables running from Acer Updater directory
Network Indicators:
- Unusual outbound connections from SYSTEM account
- Lateral movement attempts from affected systems
SIEM Query:
EventID=7045 AND ServiceName="Acer Updater Service" AND ImagePath NOT CONTAINS '"'