CVE-2021-47869 – CVE-2021-47869 is an unquoted service path vuln... (How to Fix)

📋 TL;DR

CVE-2021-47869 is an unquoted service path vulnerability in Brother BRAdmin Professional 3.75's BRA_Scheduler service. This allows local attackers to place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory, potentially gaining SYSTEM privileges. Only users with local access to affected Windows systems running this specific software are impacted.

💻 Affected Systems

Products:

Brother BRAdmin Professional

Versions: Version 3.75 specifically (and possibly earlier versions with similar configurations)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires installation of BRAdmin Professional 3.75 on Windows with default service path configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence, and lateral movement.

🟠

Likely Case

Local user with basic privileges escalates to SYSTEM to install malware, backdoors, or disable security controls.

🟢

If Mitigated

Attack fails due to proper file permissions, application whitelisting, or lack of local access.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access; not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any compromised local account (e.g., via phishing, malware) could exploit this to gain SYSTEM privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to write to C:\Program Files (x86)\Brother\ directory. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to BRAdmin Professional 4.x or later (check vendor for latest)

Vendor Advisory: https://support.brother.com/g/b/downloadend.aspx?c=us&lang=en&prod=hls7000dn_us_eu_as&os=10013&dlid=dlf005042_000&flang=4&type3=26

Restart Required: Yes

Instructions:

1. Download latest BRAdmin Professional from Brother support site. 2. Uninstall version 3.75. 3. Install updated version. 4. Restart system to ensure service updates apply.

🔧 Temporary Workarounds

Set restrictive file permissions on Brother directory

windows

Prevent non-administrative users from writing to C:\Program Files (x86)\Brother\

icacls "C:\Program Files (x86)\Brother" /deny Users:(OI)(CI)W

Quote service path manually

windows

Modify the BRA_Scheduler service to use a quoted path in registry

sc config BRA_Scheduler binPath= "\"C:\Program Files (x86)\Brother\BRAdmin\BRAScheduler.exe\""

🧯 If You Can't Patch

Remove write permissions for standard users on C:\Program Files (x86)\Brother\ directory
Implement application whitelisting to block execution of unauthorized binaries in that path

🔍 How to Verify

Check if Vulnerable:

Check if BRAdmin Professional 3.75 is installed and if BRA_Scheduler service path in registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BRA_Scheduler) is unquoted and contains spaces.

Check Version:

Check Add/Remove Programs or run 'wmic product get name,version' and look for Brother BRAdmin Professional

Verify Fix Applied:

Verify BRAdmin Professional version is 4.x or later, and BRA_Scheduler service path is quoted in registry.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 (process creation) showing execution of unexpected binaries from C:\Program Files (x86)\Brother\
File creation events in C:\Program Files (x86)\Brother\ by non-admin users

Network Indicators:

Unusual outbound connections from system processes post-exploit

SIEM Query:

EventID=4688 AND (NewProcessName="*\\Brother\\BRAdmin.exe" OR NewProcessName="*\\Brother\\*.exe") AND SubjectUserName!="*SYSTEM" AND SubjectUserName!="*Administrator*"

📊 Metadata

CVE ID: CVE-2021-47869

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.01% exploit probability (2.1th percentile)

Published: January 21, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47869, you might also want to check these: