CVE-2022-50920
📋 TL;DR
CVE-2022-50920 is an unquoted service path vulnerability in Sandboxie-Plus's SbieSvc Windows service. This allows local attackers to place malicious executables in the service path that will execute with LocalSystem privileges during service startup. Only users running Sandboxie-Plus 5.50.2 on Windows systems are affected.
💻 Affected Systems
- Sandboxie-Plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attackers gain full SYSTEM privileges on the Windows host, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local attackers with basic user privileges escalate to SYSTEM privileges, allowing them to install malware, disable security controls, or access sensitive system resources.
If Mitigated
With proper file permissions and service hardening, exploitation requires administrative privileges, reducing the attack surface to already privileged users.
🎯 Exploit Status
Exploitation requires local access and ability to write to directories in the service path. Public exploit code is available on Exploit-DB (ID 50819).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.50.3 and later
Vendor Advisory: https://sandboxie-plus.com/
Restart Required: Yes
Instructions:
1. Download latest Sandboxie-Plus version from official website. 2. Run installer to upgrade existing installation. 3. Restart the SbieSvc service or reboot the system.
🔧 Temporary Workarounds
Apply proper file permissions
windowsRestrict write permissions on directories in the SbieSvc service path to prevent malicious file placement.
icacls "C:\Program Files\Sandboxie-Plus" /deny Users:(OI)(CI)W
Modify service configuration
windowsManually update the service binary path to include quotes around the executable path.
sc config SbieSvc binPath= "\"C:\Program Files\Sandboxie-Plus\SbieSvc.exe\""
🧯 If You Can't Patch
- Apply strict file permissions to prevent non-administrative users from writing to directories in the service path.
- Monitor for unauthorized service modifications and suspicious executable creation in system directories.
🔍 How to Verify
Check if Vulnerable:
Check if Sandboxie-Plus version is 5.50.2 and examine SbieSvc service path for unquoted spaces: sc qc SbieSvcCheck Version:
Check Sandboxie-Plus About dialog or examine installed programs in Control Panel.Verify Fix Applied:
Verify Sandboxie-Plus version is 5.50.3 or later and confirm SbieSvc service path is properly quoted.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications
- Security logs showing unauthorized file creation in system directories
Network Indicators:
- None - local privilege escalation only
SIEM Query:
EventID=7045 AND ServiceName="SbieSvc" AND ImagePath NOT CONTAINS '"'