CVE-2021-47863
📋 TL;DR
CVE-2021-47863 is an unquoted service path vulnerability in MacPaw Encrypto that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to achieve privilege escalation. This affects Windows users running Encrypto 1.0.1.
💻 Affected Systems
- MacPaw Encrypto
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to SYSTEM-level access, enabling complete control over the Windows system.
Likely Case
Local privilege escalation allowing attackers to install malware, steal credentials, or pivot to other systems.
If Mitigated
Limited impact if proper access controls prevent local users from writing to program directories.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to the program directory. Proof of concept is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.2 or later
Vendor Advisory: https://macpaw.com/encrypto
Restart Required: Yes
Instructions:
1. Download latest version from MacPaw website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates apply.
🔧 Temporary Workarounds
Modify Service Path Permissions
windowsRestrict write permissions to the Encrypto program directory to prevent malicious file placement.
icacls "C:\Program Files\Encrypto" /deny Users:(OI)(CI)W
Quote Service Path Manually
windowsManually update the service configuration to use quoted paths in the Windows registry.
sc config "Encrypto Service" binPath= "\"C:\Program Files\Encrypto\EncryptoService.exe\""
🧯 If You Can't Patch
- Uninstall Encrypto if not required
- Implement strict access controls on program directories and monitor for unauthorized file creation
🔍 How to Verify
Check if Vulnerable:
Check if Encrypto 1.0.1 is installed and verify the service path in Windows Services (services.msc) shows unquoted path to C:\Program Files\Encrypto\Check Version:
Check Add/Remove Programs or run "wmic product where name='Encrypto' get version"Verify Fix Applied:
Verify installed version is 1.0.2 or later and service path shows quoted paths in Windows Services.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized file creation in C:\Program Files\Encrypto\
- Service control manager events showing Encrypto Service path changes
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName LIKE '%Encrypto%' AND CommandLine CONTAINS 'C:\Program Files\Encrypto'