CVE-2022-50918
📋 TL;DR
CVE-2022-50918 is an unquoted service path vulnerability in VIVE Runtime Service that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in specific system directories to gain elevated access when the service starts. This affects systems running VIVE Runtime Service 1.0.0.4.
💻 Affected Systems
- VIVE Runtime Service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, and control the entire system.
Likely Case
Local privilege escalation leading to unauthorized administrative access, data theft, and lateral movement within the network.
If Mitigated
Limited impact if proper access controls prevent local users from writing to system directories and service paths are properly quoted.
🎯 Exploit Status
Exploit requires local access to write files to system directories. Public exploit code is available on Exploit-DB (ID 50824).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest VIVE Runtime Service version
Vendor Advisory: https://developer.vive.com/resources/downloads/
Restart Required: Yes
Instructions:
1. Download latest VIVE Runtime Service from official Vive website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates take effect.
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the service configuration to use quoted paths for the binary executable.
sc config ViveAgentService binPath= "\"C:\Program Files\VIVE\VIVE Runtime Service\ViveAgentService.exe\""
Restrict Directory Permissions
windowsSet strict permissions on system directories to prevent unauthorized file creation.
icacls "C:\Program Files\VIVE" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
🧯 If You Can't Patch
- Remove unnecessary local user accounts and restrict local access to systems running VIVE Runtime Service.
- Implement application whitelisting to prevent execution of unauthorized binaries from system directories.
🔍 How to Verify
Check if Vulnerable:
Check if VIVE Runtime Service 1.0.0.4 is installed and if the service path is unquoted using: sc qc ViveAgentServiceCheck Version:
Check Programs and Features or run: wmic product where name="VIVE Runtime Service" get versionVerify Fix Applied:
Verify service path is quoted and version is updated: sc qc ViveAgentService and check installed programs list.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized service modifications
- Security logs with unexpected file creation in system directories
- Process creation events for ViveAgentService.exe from unexpected paths
Network Indicators:
- Unusual outbound connections from system-level processes
- Lateral movement attempts from compromised systems
SIEM Query:
EventID=4688 AND ProcessName="ViveAgentService.exe" AND NOT (ImagePath="*\"C:\Program Files\VIVE\VIVE Runtime Service\ViveAgentService.exe\"*")