CVE-2021-47880
📋 TL;DR
CVE-2021-47880 is an unquoted service path vulnerability in Realtek Wireless LAN Utility that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in paths containing spaces that get executed when the service starts. This affects systems running Realtek Wireless LAN Utility version 700.1631.
💻 Affected Systems
- Realtek Wireless LAN Utility
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges leading to persistent backdoor installation, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install additional malware or modify system configurations.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (49646). Attack requires local access but is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version from Realtek
Vendor Advisory: https://www.realtek.com/en/
Restart Required: Yes
Instructions:
1. Download latest Realtek Wireless LAN Utility from official Realtek website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Modify Service Path
windowsAdd quotes to the service path in Windows Registry to prevent path interpretation issues
sc config "Realtek Wireless LAN Utility" binPath= "\"C:\Program Files\Realtek\Wireless LAN Utility\RtlService.exe\""
Restrict Directory Permissions
windowsRemove write permissions from directories in the service path for non-administrative users
icacls "C:\Program Files\Realtek" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove or disable Realtek Wireless LAN Utility service if not required
- Implement application whitelisting to prevent execution of unauthorized binaries in system directories
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc "Realtek Wireless LAN Utility" and look for unquoted paths containing spacesCheck Version:
Check program version in Control Panel > Programs and Features or via wmic product where name="Realtek Wireless LAN Utility" get versionVerify Fix Applied:
Verify service path is quoted: sc qc "Realtek Wireless LAN Utility" should show quoted executable path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service start failures
- Process creation from unusual locations in Realtek directories
- Unauthorized file creation in C:\Program Files\Realtek\ directories
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes
- DNS queries for command and control infrastructure
SIEM Query:
source="windows" AND (event_id=7045 OR event_id=4697) AND service_name="Realtek Wireless LAN Utility" AND (process_path="C:\\Program Files\\Realtek" OR parent_process="services.exe")