CVE-2022-50915 – CVE-2022-50915 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2022-50915?

CVE-2022-50915 has a CVSS score of 7.8 (HIGH). CVE-2022-50915 is an unquoted service path vulnerability in PTPublisher's PTProtect service that allows local attackers to execute arbitrary code with SYSTEM privileges by placing malicious executables in the unquoted path. This affects users running PTPublisher 2.3.4 on Windows systems where attackers have local access. The vulnerability enables privilege escalation from a lower-privileged user account to full system control.

📋 TL;DR

CVE-2022-50915 is an unquoted service path vulnerability in PTPublisher's PTProtect service that allows local attackers to execute arbitrary code with SYSTEM privileges by placing malicious executables in the unquoted path. This affects users running PTPublisher 2.3.4 on Windows systems where attackers have local access. The vulnerability enables privilege escalation from a lower-privileged user account to full system control.

💻 Affected Systems

Products:

Primera Technology PTPublisher

Versions: 2.3.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems due to Windows service path handling. Requires local access to the system.

📦 What is this software?

Ptpublisher by Primera

View all CVEs affecting Ptpublisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with persistent backdoor installation, data theft, ransomware deployment, and complete control over the affected system.

🟠

Likely Case

Local privilege escalation leading to lateral movement within the network, credential harvesting, and installation of additional malware.

🟢

If Mitigated

Limited impact due to restricted local access, proper endpoint protection, and service hardening preventing successful exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local system access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any attacker with local access (malicious insider, compromised user account, or malware with user privileges) can exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access but is simple to execute. Public exploit code exists on Exploit-DB (ID 50885).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.5 or later

Vendor Advisory: https://www.primera.com/

Restart Required: Yes

Instructions:

1. Download latest PTPublisher version from Primera Technology website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates apply.

🔧 Temporary Workarounds

Service Path Quoting

windows

Manually modify the service configuration to use quoted paths in the service executable path

sc config PTProtect binPath= "\"C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe\""

Service Removal

windows

Remove or disable the vulnerable PTProtect service if not required

sc stop PTProtect
sc delete PTProtect

🧯 If You Can't Patch

Restrict local access to systems running PTPublisher through strict access controls and privilege management
Implement application whitelisting to prevent execution of unauthorized binaries in vulnerable directories

🔍 How to Verify

Check if Vulnerable:

Check service configuration: sc qc PTProtect and look for unquoted path containing spaces in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe'

Check Version:

Check PTPublisher About dialog or installed programs list for version number

Verify Fix Applied:

Verify service path is quoted: sc qc PTProtect should show path enclosed in quotes. Check PTPublisher version is 2.3.5 or higher.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Service Control Manager events for PTProtect service modifications
Process creation from unusual locations in 'C:\Program Files (x86)\Primera Technology\PTPublisher' directory

Network Indicators:

Unusual outbound connections from system processes following local privilege escalation

SIEM Query:

EventID=7045 OR (ProcessCreation AND ImagePath CONTAINS 'Primera Technology' AND NOT ImagePath CONTAINS 'UsbFlashDongleService.exe')

📊 Metadata

CVE ID: CVE-2022-50915

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.02% exploit probability (2.8th percentile)

Published: January 13, 2026

Last Updated: March 2, 2026

🔗 References

https://www.exploit-db.com/exploits/50885 Exploit,VDB Entry
https://www.primera.com/ Product
https://www.vulncheck.com/advisories/ptpublisher-unquoted-service-path Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50915, you might also want to check these: