CVE-2021-47828
📋 TL;DR
CVE-2021-47828 is an unquoted service path vulnerability in BOOTP Turbo 2.0.0.1253 that allows attackers to execute arbitrary code with LocalSystem privileges during system startup or reboot. This affects Windows systems running the vulnerable version of BOOTP Turbo service. Attackers need local access to place malicious executables in specific directories.
💻 Affected Systems
- BOOTP Turbo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges leading to complete control over the Windows system, persistence mechanisms, and potential lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install backdoors, steal credentials, or disable security controls.
If Mitigated
Limited impact if proper file permissions restrict write access to system directories and endpoint protection blocks suspicious executables.
🎯 Exploit Status
Exploitation requires local access to create malicious executables in specific directories. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.weird-solutions.com
Restart Required: Yes
Instructions:
1. Download updated version from vendor website if available
2. Uninstall vulnerable version
3. Install patched version
4. Restart system to ensure service path changes take effect
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service configuration to use quoted paths in the service executable path
sc config "BOOTP Turbo" binPath= "\"C:\Program Files\BOOTP Turbo\bootpt.exe\""
Restrict Directory Permissions
windowsSet strict ACLs on directories in the service path to prevent unauthorized file creation
icacls "C:\Program Files" /deny Everyone:(OI)(CI)W
🧯 If You Can't Patch
- Remove or disable the BOOTP Turbo service if not required
- Implement strict file integrity monitoring on directories in the service path
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc "BOOTP Turbo" and look for unquoted paths containing spacesCheck Version:
Check installed version in Programs and Features or run: wmic product where name="BOOTP Turbo" get versionVerify Fix Applied:
Verify service path is quoted: sc qc "BOOTP Turbo" should show quoted executable path📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation with unquoted paths
- Unexpected executable creation in system directories
- Service control manager logs showing path modifications
Network Indicators:
- Unusual outbound connections from SYSTEM account
- Lateral movement attempts from previously non-privileged accounts
SIEM Query:
source="Windows Security" EventID=4688 AND NewProcessName="*Program Files*" AND SubjectUserName="SYSTEM" AND ParentProcessName="services.exe"