CVE-2022-50690
📋 TL;DR
Wondershare MirrorGo 2.0.11.346 has insecure file permissions on ElevationService.exe, allowing local unprivileged users to replace it with malicious code. This enables privilege escalation to LocalSystem level, giving attackers full control of the system. Only users with local access to systems running this specific version are affected.
💻 Affected Systems
- Wondershare MirrorGo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing installation of persistent malware, credential theft, lateral movement, and data destruction.
Likely Case
Local privilege escalation leading to administrative control of the affected system, enabling further attacks within the network.
If Mitigated
Limited impact if proper access controls prevent local users from modifying system files or if the software is not installed.
🎯 Exploit Status
Exploit requires local user access but is simple to execute - just replace the vulnerable executable with a malicious one. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Wondershare for latest version
Vendor Advisory: https://www.wondershare.com/
Restart Required: Yes
Instructions:
1. Visit Wondershare official website 2. Download latest MirrorGo version 3. Uninstall current version 4. Install updated version 5. Restart system
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually set proper permissions on ElevationService.exe to prevent unauthorized modification
icacls "C:\Program Files\Wondershare\MirrorGo\ElevationService.exe" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)"
Remove Vulnerable Software
windowsUninstall MirrorGo if not required
Control Panel > Programs > Uninstall Wondershare MirrorGo
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from modifying program files
- Monitor for unauthorized file modifications in the MirrorGo installation directory
🔍 How to Verify
Check if Vulnerable:
Check if ElevationService.exe in MirrorGo installation directory has write permissions for non-admin users using: icacls "C:\Program Files\Wondershare\MirrorGo\ElevationService.exe"Check Version:
Check MirrorGo About section or examine installation directory for version informationVerify Fix Applied:
Verify file permissions only allow SYSTEM and Administrators full control, and check MirrorGo version is updated📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File system modification) for ElevationService.exe
- Unexpected process creation from MirrorGo directory with SYSTEM privileges
Network Indicators:
- Unusual outbound connections from system processes following local privilege escalation
SIEM Query:
EventID=4663 AND ObjectName LIKE "%ElevationService.exe%" AND Accesses="WriteData (or AddFile)"