CVE-2021-47867
📋 TL;DR
CVE-2021-47867 is an unquoted service path vulnerability in WIN-PACK PRO 4.8's ScheduleService that allows local attackers to execute arbitrary code with SYSTEM privileges. This affects systems running WIN-PACK PRO 4.8 on Windows where attackers have local access. The vulnerability enables privilege escalation from a lower-privileged user account to full system control.
💻 Affected Systems
- WIN-PACK PRO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with persistent SYSTEM-level backdoor installation, data theft, and complete control over the affected system.
Likely Case
Local privilege escalation allowing attackers to install malware, steal credentials, and pivot to other systems on the network.
If Mitigated
Limited impact with proper access controls, monitoring, and service hardening in place.
🎯 Exploit Status
Exploitation requires local access and ability to write to a directory in the system path. Public exploit code exists in Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Honeywell security advisory for updated version
Vendor Advisory: https://www.security.honeywell.com/product-repository/winpak
Restart Required: Yes
Instructions:
1. Check Honeywell advisory for patch availability. 2. Apply vendor-provided patch. 3. Restart affected services. 4. Verify service path is properly quoted.
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the service path to include quotes around the executable path
sc config ScheduleService binPath= "\"C:\Program Files (x86)\WINPAKPRO\ScheduleService Service.exe\""
Restrict Directory Permissions
windowsRemove write permissions from directories in the vulnerable path for non-administrative users
icacls "C:\Program Files (x86)" /deny Users:(OI)(CI)W
icacls "C:\Program Files" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Monitor for suspicious service creation or modification events and unauthorized executable files in system directories
🔍 How to Verify
Check if Vulnerable:
Run: sc qc ScheduleService and check if the binPath value has quotes around the full executable pathCheck Version:
Check WIN-PACK PRO version in Control Panel > Programs and Features or via vendor documentationVerify Fix Applied:
Verify service path is quoted: sc qc ScheduleService | findstr /i binPath📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7045: Service installed
- Unexpected service creation/modification
- Executable creation in system directories
Network Indicators:
- Unusual outbound connections from ScheduleService process
SIEM Query:
EventID=7045 AND ServiceName="ScheduleService" OR ProcessCreation WHERE ImagePath contains "ScheduleService" AND NOT ImagePath contains '"'