CVE-2021-47874
📋 TL;DR
CVE-2021-47874 is an unquoted service path vulnerability in VFS for Git's GVFS.Service Windows service that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in the unquoted path to gain privilege escalation. This affects Windows systems running vulnerable versions of VFS for Git.
💻 Affected Systems
- VFS for Git (GVFS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement across the network.
Likely Case
Local user or malware with initial access escalates privileges to install backdoors, steal credentials, or deploy ransomware across the network.
If Mitigated
Attack limited to initial compromise scope with proper endpoint protection and privilege separation preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local access to the system. Public exploit code exists on Exploit-DB (49661).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.21015.1 and later
Vendor Advisory: https://vfsforgit.org/
Restart Required: Yes
Instructions:
1. Download latest VFS for Git from official site. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates.
🔧 Temporary Workarounds
Manual Service Path Quoting
windowsManually modify the service path to include quotes around the executable path
sc config GVFS.Service binPath= "\"C:\Program Files\VFS for Git\GVFS.Service.exe\""
Service Removal
windowsRemove the vulnerable service if VFS for Git functionality is not required
sc stop GVFS.Service
sc delete GVFS.Service
🧯 If You Can't Patch
- Implement strict file system permissions to prevent unauthorized users from writing to parent directories of the service path
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious service manipulation and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc GVFS.Service and look for unquoted path containing spacesCheck Version:
Check installed version in Programs and Features or run: wmic product where name="VFS for Git" get versionVerify Fix Applied:
Verify service path is quoted: sc qc GVFS.Service should show path enclosed in quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7045: Service installation with unquoted path
- Unexpected service creation/modification events
- Process creation from unusual locations in service path directories
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=7045 AND (ServiceName="GVFS.Service" OR ImagePath="*GVFS.Service*") AND NOT ImagePath="\"*\""