CVE-2021-47898
📋 TL;DR
Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service, which runs with LocalSystem privileges. Attackers can exploit this by placing malicious executables in intermediate directories to gain elevated system access. This affects systems running the vulnerable Epson USB Display software.
💻 Affected Systems
- Epson USB Display
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing attackers to install malware, steal credentials, or establish persistence.
Likely Case
Local privilege escalation leading to administrative access on the compromised system.
If Mitigated
Limited impact if proper endpoint security controls prevent unauthorized file creation in system directories.
🎯 Exploit Status
Exploit requires local access to create files in system directories. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://epson.com.mx/
Restart Required: No
Instructions:
No official patch available. Check Epson website for updated software versions. Consider uninstalling the software if not needed.
🔧 Temporary Workarounds
Modify Service Path
windowsAdd quotes around the service executable path in Windows Registry
sc config EMP_UDSA binPath= "C:\Program Files\EPSON\USB Display\EMP_UDSA.exe"
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on affected directories
icacls "C:\Program Files\EPSON\USB Display" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Uninstall Epson USB Display software if not required
- Implement strict endpoint security controls to prevent unauthorized file creation in system directories
🔍 How to Verify
Check if Vulnerable:
Check if EMP_UDSA service exists and has an unquoted path: sc qc EMP_UDSA | findstr BINARY_PATH_NAMECheck Version:
Check installed software version in Control Panel > Programs and FeaturesVerify Fix Applied:
Verify service path is quoted and directory permissions are restricted📡 Detection & Monitoring
Log Indicators:
- Unexpected file creation in Epson USB Display directories
- Suspicious process execution from intermediate directories
Network Indicators:
- None - local vulnerability
SIEM Query:
Process creation where parent process is services.exe and command line contains unquoted path to EMP_UDSA.exe