CVE-2022-50913
📋 TL;DR
CVE-2022-50913 is an unquoted service path vulnerability in ITeC ITeCProteccioAppServer that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in the service path to gain elevated access when the service restarts or the system reboots. This affects organizations using ITeCProteccioAppServer on Windows systems.
💻 Affected Systems
- ITeC ITeCProteccioAppServer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete control over the affected system, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to install persistent malware, steal credentials, and maintain long-term access to the system.
If Mitigated
Limited impact if proper access controls prevent local users from writing to service directories and service restarts are controlled.
🎯 Exploit Status
Exploit requires local access and ability to write to a directory in the service path. Public exploit code exists on Exploit-DB (ID 50902).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor advisory
Vendor Advisory: https://itec.es/programas/
Restart Required: Yes
Instructions:
1. Contact ITeC for patched version. 2. Install updated ITeCProteccioAppServer. 3. Restart the service or system to apply changes.
🔧 Temporary Workarounds
Quote Service Path
windowsManually add quotes around the service executable path in Windows Service configuration
sc config "ServiceName" binPath= "\"C:\Program Files\ITeC\ITeCProteccioAppServer.exe\""
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories in the service path
icacls "C:\Program Files\ITeC" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to service directories
- Monitor for unauthorized service modifications and suspicious executable creation in service paths
🔍 How to Verify
Check if Vulnerable:
Check if ITeCProteccioAppServer service path contains spaces without quotes: sc qc "ITeCProteccioAppServer" | findstr BINARY_PATH_NAMECheck Version:
Check installed version through ITeCProteccioAppServer interface or contact vendorVerify Fix Applied:
Verify service path is properly quoted: sc qc "ITeCProteccioAppServer" should show path enclosed in quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7045: Service installation/modification
- Unexpected service restarts
- Creation of executables in service path directories
Network Indicators:
- Unusual outbound connections from service account
- Lateral movement attempts from affected system
SIEM Query:
EventID=7045 AND ServiceName="ITeCProteccioAppServer" OR ProcessCreation WHERE ImagePath contains "ITeCProteccioAppServer" AND CommandLine contains spaces without quotes