CVE-2022-50688
📋 TL;DR
CVE-2022-50688 is an unquoted service path vulnerability in Cobian Backup Gravity that allows local attackers to execute arbitrary code with SYSTEM privileges. This affects users running version 11.2.0.582 on Windows systems where the service path contains spaces and the attacker has local access to create malicious executables.
💻 Affected Systems
- Cobian Backup Gravity
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, enabling installation of backdoors, credential dumping, and persistence mechanisms.
If Mitigated
Limited impact with proper endpoint protection, application whitelisting, and restricted local access preventing malicious file creation in service path directories.
🎯 Exploit Status
Exploit requires local access to create files in service path directories. Public exploit code available on Exploit-DB (ID 50791).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version (check vendor site)
Vendor Advisory: https://www.cobiansoft.com/
Restart Required: Yes
Instructions:
1. Download latest version from cobiansoft.com. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates take effect.
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the service path to include quotes around the executable path
sc config CobianBackup11 binPath= "\"C:\Program Files\Cobian Backup 11\CobianBackup11.exe\""
Restrict Directory Permissions
windowsRemove write permissions from directories in the service path for standard users
icacls "C:\Program Files\Cobian Backup 11" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use endpoint detection and response (EDR) to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if service path is unquoted: sc qc CobianBackup11 | findstr BINARY_PATH_NAME. If path contains spaces and no quotes, system is vulnerable.Check Version:
Check program version in Control Panel > Programs and Features or run: wmic product where name="Cobian Backup Gravity" get versionVerify Fix Applied:
Verify service path is quoted: sc qc CobianBackup11 | findstr BINARY_PATH_NAME should show quotes around path. Check directory permissions for service path locations.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing unexpected executables running from service path directories
- Event ID 7045 (service installation) showing service path modifications
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4688 AND (NewProcessName contains "CobianBackup11" OR ParentProcessName contains "services.exe") AND CommandLine contains unexpected executables