CVE-2021-47862
📋 TL;DR
CVE-2021-47862 is an unquoted service path vulnerability in Hi-Rez Studios' HiPatchService that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in the unquoted path to be executed during system startup or reboot. This affects users of Hi-Rez Studios software version 5.1.6.3 on Windows systems.
💻 Affected Systems
- Hi-Rez Studios software with HiPatchService
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to persistence mechanisms, credential dumping, and installation of backdoors on affected systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and service hardening are implemented.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code is available on Exploit-DB (ID 49701).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions than 5.1.6.3
Vendor Advisory: https://www.hirezstudios.com
Restart Required: Yes
Instructions:
1. Update Hi-Rez Studios software to latest version. 2. Restart the system to ensure the updated service is running. 3. Verify the service path is properly quoted in registry.
🔧 Temporary Workarounds
Manually quote service path
windowsManually edit the service path in Windows Registry to include quotes around the executable path
reg add "HKLM\SYSTEM\CurrentControlSet\Services\HiPatchService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Hi-Rez Studios\HiPatchService.exe\"" /f
Remove vulnerable service
windowsUninstall or disable the vulnerable HiPatchService if not required
sc delete HiPatchService
sc config HiPatchService start= disabled
🧯 If You Can't Patch
- Implement strict file system permissions on the service directory to prevent unauthorized file creation
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\HiPatchService" /v ImagePath - if path contains spaces and is not quoted, system is vulnerableCheck Version:
Check Hi-Rez Studios software version in Control Panel > Programs and Features or via the application interfaceVerify Fix Applied:
Verify service path is quoted in registry and no unauthorized executables exist in the service directory path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (ID 7045) showing service path modifications
- Security logs: Privilege escalation attempts, unexpected process execution with SYSTEM privileges
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes
- Beaconing behavior from newly created services
SIEM Query:
EventID=7045 AND (ServiceName="HiPatchService" OR ImagePath="*HiPatchService*")