CVE-2022-50917 – CVE-2022-50917 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2022-50917?

CVE-2022-50917 has a CVSS score of 7.8 (HIGH). CVE-2022-50917 is an unquoted service path vulnerability in ProtonVPN's WireGuard service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in specific file system locations to be executed when the service starts. This affects ProtonVPN users on Windows systems with version 1.26.0 installed.

📋 TL;DR

CVE-2022-50917 is an unquoted service path vulnerability in ProtonVPN's WireGuard service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in specific file system locations to be executed when the service starts. This affects ProtonVPN users on Windows systems with version 1.26.0 installed.

💻 Affected Systems

Products:

ProtonVPN

Versions: 1.26.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations where the WireGuard service path contains spaces and is unquoted in the service configuration.

📦 What is this software?

Protonvpn by Proton

View all CVEs affecting Protonvpn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains SYSTEM-level privileges and full control of the system, enabling persistence, data theft, and lateral movement.

🟠

Likely Case

Local attacker gains elevated privileges to install malware, modify system configurations, or access sensitive data.

🟢

If Mitigated

Attack fails due to proper file permissions, application whitelisting, or the service path being properly quoted after patching.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Malicious insiders or compromised accounts can exploit this to gain SYSTEM privileges on affected workstations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system and ability to write to file system locations that precede the legitimate service executable in the unquoted path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.1 and later

Vendor Advisory: https://protonvpn.com/support/unquoted-service-path-vulnerability/

Restart Required: Yes

Instructions:

1. Update ProtonVPN to version 1.26.1 or later. 2. Restart the system to ensure the updated service configuration takes effect.

🔧 Temporary Workarounds

Manual Service Path Quoting

windows

Manually edit the WireGuard service configuration to quote the executable path

sc config "ProtonVPN WireGuard" binPath= "\"C:\Program Files\Proton Technologies\ProtonVPN\wireguard\wireguard.exe\""
sc stop "ProtonVPN WireGuard"
sc start "ProtonVPN WireGuard"

Restrict File System Permissions

windows

Set restrictive permissions on directories preceding the legitimate executable in the service path

icacls "C:\Program" /deny "Users:(OI)(CI)(W)"
icacls "C:\Program Files" /deny "Users:(OI)(CI)(W)"
icacls "C:\Program Files\Proton Technologies" /deny "Users:(OI)(CI)(W)"

🧯 If You Can't Patch

Uninstall ProtonVPN 1.26.0 and use alternative VPN software
Implement application whitelisting to prevent execution of unauthorized binaries in the affected directories

🔍 How to Verify

Check if Vulnerable:

Check if ProtonVPN version is 1.26.0 and examine the WireGuard service path with: sc qc "ProtonVPN WireGuard" | findstr BINARY_PATH_NAME

Check Version:

Check ProtonVPN version in the application interface or via: wmic product where "name like 'ProtonVPN%'" get version

Verify Fix Applied:

Verify ProtonVPN version is 1.26.1+ and check that the service path is properly quoted: sc qc "ProtonVPN WireGuard" | findstr BINARY_PATH_NAME

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from directories preceding legitimate ProtonVPN executables
Service control manager events showing WireGuard service failures or unexpected startups

Network Indicators:

Unusual outbound connections from SYSTEM-level processes following WireGuard service restarts

SIEM Query:

EventID=4688 AND (NewProcessName contains "C:\\Program" OR NewProcessName contains "C:\\Program Files") AND SubjectUserName="SYSTEM" AND ParentProcessName contains "services.exe"

📊 Metadata

CVE ID: CVE-2022-50917

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.02% exploit probability (2.8th percentile)

Published: January 13, 2026

Last Updated: March 2, 2026

🔗 References

https://protonvpn.com/ Broken Link
https://www.exploit-db.com/exploits/50837 Exploit,VDB Entry
https://www.vulncheck.com/advisories/protonvpn-unquoted-service-path Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50917, you might also want to check these: