CVE-2021-47861
📋 TL;DR
Event Log Explorer 4.9.3 has an unquoted service path vulnerability that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in specific file system locations that get executed during service startup. This affects systems running Event Log Explorer 4.9.3 with the vulnerable service installed.
💻 Affected Systems
- Event Log Explorer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges leading to complete control over the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install persistent backdoors or malware on the compromised system.
If Mitigated
Limited impact due to proper access controls preventing local users from writing to vulnerable directories.
🎯 Exploit Status
Exploit requires local access to the system and ability to write to vulnerable file system locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.4 or later
Vendor Advisory: https://eventlogxp.com/
Restart Required: Yes
Instructions:
1. Download latest version from eventlogxp.com 2. Install update 3. Restart system to ensure service uses updated configuration
🔧 Temporary Workarounds
Quote Service Path
windowsManually add quotes around the service path in Windows Registry
sc config "ELODeaEventCollectorService" binPath= "\"C:\Program Files\Event Log Explorer\ELODeaEventCollectorService.exe\""
Restrict Directory Permissions
windowsSet restrictive permissions on vulnerable directories to prevent unauthorized writes
icacls "C:\Program Files\Event Log Explorer" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove or disable the ELODeaEventCollectorService if not required
- Implement strict access controls to prevent local users from writing to vulnerable directories
🔍 How to Verify
Check if Vulnerable:
Check if ELODeaEventCollectorService exists and has unquoted path: sc qc "ELODeaEventCollectorService" | findstr /i "binpath"Check Version:
Check Event Log Explorer version in Help > About or verify file version of EventLogExplorer.exeVerify Fix Applied:
Verify service path is quoted: sc qc "ELODeaEventCollectorService" | findstr /i "binpath" and check for quotes around path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected service starts/stops
- Security logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from system accounts
- Lateral movement attempts from compromised systems
SIEM Query:
EventID=4688 AND NewProcessName CONTAINS "ELODeaEventCollectorService" AND CommandLine NOT CONTAINS '"'