CVE-2021-47890
📋 TL;DR
LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service. Attackers can place malicious executables in intermediate directories to gain LocalSystem privileges during service startup. This affects all LogonExpert 8.1 installations on Windows systems.
💻 Affected Systems
- LogonExpert
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing complete control over the affected system, data theft, and lateral movement.
Likely Case
Local privilege escalation to SYSTEM account, enabling installation of persistent malware, credential dumping, and disabling security controls.
If Mitigated
Limited impact if proper file permissions restrict write access to system directories and service paths are monitored.
🎯 Exploit Status
Exploit requires ability to write to filesystem and service restart/reboot. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.softros.com/
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. Uninstall vulnerable version. 3. Install patched version if available. 4. Restart system.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service path to include quotes around the executable path
sc config LogonExpertSvc binPath= "\"C:\Program Files\LogonExpert\LogonExpertSvc.exe\""
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on intermediate directories
icacls "C:\Program Files\LogonExpert" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove LogonExpert if not essential for operations
- Implement strict file integrity monitoring on service directories
🔍 How to Verify
Check if Vulnerable:
Run: sc qc LogonExpertSvc | findstr BINARY_PATH_NAME - Check if path contains spaces without quotes and intermediate directories existCheck Version:
Check installed programs in Control Panel or run: wmic product where name="LogonExpert" get versionVerify Fix Applied:
Verify service path is quoted: sc qc LogonExpertSvc | findstr BINARY_PATH_NAME - Should show quotes around path📡 Detection & Monitoring
Log Indicators:
- Service Control Manager Event ID 7036 for LogonExpertSvc restarts
- Process creation from unusual paths for LogonExpertSvc
Network Indicators:
- Unusual outbound connections from SYSTEM account after service restart
SIEM Query:
EventID=7036 AND ServiceName="LogonExpertSvc" | join ProcessCreationEvent where ParentImage="*LogonExpertSvc*"