CVE-2022-50923 – CVE-2022-50923 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2022-50923?

CVE-2022-50923 has a CVSS score of 7.8 (HIGH). CVE-2022-50923 is an unquoted service path vulnerability in Cobian Backup 0.9 that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects systems where Cobian Backup is installed with the vulnerable CobianReflectorService. Attackers can exploit this by placing malicious executables in paths that get executed during service startup.

📋 TL;DR

CVE-2022-50923 is an unquoted service path vulnerability in Cobian Backup 0.9 that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects systems where Cobian Backup is installed with the vulnerable CobianReflectorService. Attackers can exploit this by placing malicious executables in paths that get executed during service startup.

💻 Affected Systems

Products:

Cobian Backup

Versions: Version 0.9

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where CobianReflectorService is installed and running. The vulnerability exists in the service path configuration.

📦 What is this software?

Cobian Backup by Cobiansoft

View all CVEs affecting Cobian Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to persistence, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls prevent local users from writing to vulnerable directories.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any local user (including low-privileged accounts) can exploit this to gain SYSTEM privileges on affected machines.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access to create files in directories with spaces before the legitimate executable path. Proof of concept is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.cobiansoft.com/

Restart Required: Yes

Instructions:

1. Uninstall Cobian Backup 0.9. 2. Install a different backup solution. 3. Consider upgrading to a supported version if available. 4. Restart system after removal.

🔧 Temporary Workarounds

Quote Service Path

windows

Manually edit the service path to include quotes around the executable path

sc config "CobianReflectorService" binPath= "\"C:\Program Files\Cobian Backup\CobianReflector.exe\""

Restrict Directory Permissions

windows

Remove write permissions for non-administrative users on directories in the service path

icacls "C:\Program Files\Cobian Backup" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Remove Cobian Backup 0.9 completely from all systems
Implement strict access controls to prevent local users from writing to directories in the service path

🔍 How to Verify

Check if Vulnerable:

Check if CobianReflectorService exists and has an unquoted path: sc qc "CobianReflectorService" | findstr BINARY_PATH_NAME

Check Version:

Check installed programs in Control Panel or run: wmic product where "name like 'Cobian%'" get version

Verify Fix Applied:

Verify service path is quoted: sc qc "CobianReflectorService" | findstr BINARY_PATH_NAME should show quotes around the path

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing service startup failures
Creation of unexpected executables in Cobian Backup directories
Process creation from unusual locations in service path

Network Indicators:

Unusual outbound connections from SYSTEM account
Lateral movement attempts from previously low-privileged accounts

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS "Cobian" AND SubjectUserName NOT IN ("SYSTEM", "Administrator")

📊 Metadata

CVE ID: CVE-2022-50923

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.02% exploit probability (4th percentile)

Published: January 13, 2026

Last Updated: March 2, 2026

🔗 References

https://www.cobiansoft.com// Product
https://www.cobiansoft.com/download.php/ Product
https://www.exploit-db.com/exploits/50810 Exploit,VDB Entry
https://www.vulncheck.com/advisories/cobian-backup-unquoted-service-path Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50923, you might also want to check these: