CVE-2021-47889
📋 TL;DR
Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to execute arbitrary code with elevated privileges. This affects organizations using this specific version of the LAN messaging software on Windows systems. Attackers with local access can exploit the vulnerability to escalate privileges and potentially gain full system control.
💻 Affected Systems
- Softros LAN Messenger
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM-level privileges, enabling complete control over the affected machine, data theft, lateral movement, and persistence establishment.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary code with elevated privileges, potentially leading to credential harvesting, malware installation, or further network compromise.
If Mitigated
Limited impact with proper access controls, monitoring, and restricted user permissions preventing local attackers from accessing vulnerable directories.
🎯 Exploit Status
Exploit requires local access to the system and ability to write to the vulnerable directory path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.6.5 or later
Vendor Advisory: https://www.softros.com/
Restart Required: Yes
Instructions:
1. Download latest version from Softros website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates apply.
🔧 Temporary Workarounds
Apply proper service path quoting
windowsManually edit the service configuration to quote the service path in Windows Registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SoftrosSpellChecker" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe\"" /f
Restrict directory permissions
windowsSet strict ACLs on the vulnerable directory to prevent unauthorized write access
icacls "C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Disable the SoftrosSpellChecker service if not required for functionality
- Implement strict access controls and monitoring on the vulnerable directory path
🔍 How to Verify
Check if Vulnerable:
Check if Softros LAN Messenger version is 9.6.4 and examine service path in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SoftrosSpellChecker for unquoted path with spacesCheck Version:
Check program version in Control Panel > Programs and Features or examine installed software registry entriesVerify Fix Applied:
Verify version is 9.6.5+ and service path in Registry is properly quoted with double quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service start failures
- Unexpected processes running from the Spell Checker directory
- File creation/modification in C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\
Network Indicators:
- Unusual outbound connections from the SoftrosSpellChecker service
SIEM Query:
EventID=7045 AND ServiceName="SoftrosSpellChecker" OR ProcessCreation WHERE ImagePath contains "Softros Messenger\\Spell Checker"