CVE-2021-47845
📋 TL;DR
CVE-2021-47845 is an unquoted service path vulnerability in Spy Emergency 25.0.650 that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in paths that get executed before the legitimate service files during system startup or service restart. This affects Windows systems running the vulnerable version of Spy Emergency.
💻 Affected Systems
- Spy Emergency
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege compromise leading to complete host takeover, persistence establishment, and lateral movement within the network.
Likely Case
Local privilege escalation to SYSTEM, enabling installation of malware, credential theft, and disabling of security controls.
If Mitigated
Limited impact with proper endpoint protection, service hardening, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access to the system. Public exploit code is available on Exploit-DB (ID 49997). The attack involves creating malicious executables in specific directory paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.0.651 or later
Vendor Advisory: https://www.spy-emergency.com/
Restart Required: Yes
Instructions:
1. Download and install the latest version of Spy Emergency from the official website. 2. Restart the system to ensure the updated services are running. 3. Verify the service paths are now properly quoted.
🔧 Temporary Workarounds
Manually Quote Service Paths
windowsManually edit the service configurations to add quotes around the executable paths
sc config SpyEmergencyHealth binPath= "C:\Program Files\Spy Emergency\SpyEmergencyHealth.exe"
sc config SpyEmergencySrv binPath= "C:\Program Files\Spy Emergency\SpyEmergencySrv.exe"
Restrict Write Permissions
windowsRemove write permissions from directories in the service path that could be used for exploitation
icacls "C:\Program Files" /deny Users:(OI)(CI)W
icacls "C:\Program Files\Spy Emergency" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove Spy Emergency from critical systems until patched
- Implement strict endpoint detection and response (EDR) rules to monitor for service path manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Run: sc qc SpyEmergencyHealth and sc qc SpyEmergencySrv. Check if the binPath values have quotes around the executable paths.Check Version:
Check program version in Control Panel > Programs and Features or run the Spy Emergency application to see version infoVerify Fix Applied:
Verify service paths are quoted using sc qc commands and check Spy Emergency version is 25.0.651 or higher.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (ID 7045) showing service path changes
- Security logs: Unauthorized file creation in Program Files directories
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=7045 AND (ServiceName="SpyEmergencyHealth" OR ServiceName="SpyEmergencySrv")