CVE-2022-50914
📋 TL;DR
CVE-2022-50914 is an unquoted service path vulnerability in EaseUS Data Recovery 15.1.0.0 that allows attackers to place malicious executables in the service path to achieve privilege escalation. When exploited, attackers can execute arbitrary code with LocalSystem privileges. Users running the vulnerable version of EaseUS Data Recovery on Windows systems are affected.
💻 Affected Systems
- EaseUS Data Recovery
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via LocalSystem privilege execution, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to malware installation, data theft, or ransomware deployment on the affected system.
If Mitigated
Limited impact with proper endpoint protection, application whitelisting, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to the service path directory. Proof of concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.2 or later
Vendor Advisory: https://www.easeus.com/
Restart Required: Yes
Instructions:
1. Download and install the latest version of EaseUS Data Recovery from the official website. 2. Uninstall the vulnerable version. 3. Restart the system to ensure the updated service is running.
🔧 Temporary Workarounds
Apply quotes to service path
windowsManually add quotes around the service path in the Windows registry to prevent path interpretation issues
sc config "EaseUS UPDATE SERVICE" binPath="\"C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\ENSServer.exe\""
Restrict write permissions
windowsRemove write permissions for non-administrative users on the EaseUS installation directory
icacls "C:\Program Files\EaseUS" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Disable the EaseUS UPDATE SERVICE if not required for functionality
- Implement application whitelisting to prevent execution of unauthorized binaries in the service path
🔍 How to Verify
Check if Vulnerable:
Check if EaseUS Data Recovery version 15.1.0.0 is installed and verify the service path in registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EaseUS UPDATE SERVICE for unquoted paths containing spaces.Check Version:
wmic product where name="EaseUS Data Recovery Wizard" get versionVerify Fix Applied:
Verify the installed version is 15.2 or later, and check that the service path in registry is properly quoted.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service creation/modification events (ID 7045)
- Process creation events for ENSServer.exe from unusual paths
- File creation in EaseUS installation directory by non-administrative users
Network Indicators:
- Unusual outbound connections from ENSServer.exe process
SIEM Query:
source="Windows Security" EventCode=4688 AND NewProcessName="*ENSServer.exe" AND SubjectUserName!="SYSTEM"