CVE-2022-50930
📋 TL;DR
CVE-2022-50930 is an unquoted service path vulnerability in Emerson PAC Machine Edition 9.80's TrapiServer service that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects systems running the vulnerable software version where attackers have local access. The vulnerability enables privilege escalation from a lower-privileged user account to full system control.
💻 Affected Systems
- Emerson PAC Machine Edition
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper access controls prevent local user execution or if service paths are properly secured.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code is available, making exploitation straightforward for attackers with local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified by vendor
Vendor Advisory: https://www.emerson.com/en-us
Restart Required: Yes
Instructions:
1. Check Emerson's security advisory page for updates. 2. Apply any available patches. 3. Restart affected systems. 4. Verify service paths are properly quoted.
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the TrapiServer service configuration to use quoted paths
sc config TrapiServer binPath= "\"C:\Program Files\Emerson\PAC\TrapiServer.exe\""
Restrict Service Permissions
windowsModify service permissions to prevent unauthorized users from writing to service directories
icacls "C:\Program Files\Emerson\PAC" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Monitor for unauthorized service modifications and suspicious file creation in Emerson PAC directories
🔍 How to Verify
Check if Vulnerable:
Check if TrapiServer service path is unquoted: sc qc TrapiServer | findstr BINARY_PATH_NAMECheck Version:
Check Emerson PAC Machine Edition version in Control Panel > Programs and FeaturesVerify Fix Applied:
Verify service path is quoted and proper permissions are set on Emerson PAC directories📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications
- Unexpected service restarts
- File creation in Emerson PAC directories
Network Indicators:
- Unusual outbound connections from systems running Emerson PAC
SIEM Query:
EventID=7045 AND ServiceName="TrapiServer" OR ProcessCreation WHERE ImagePath contains "Emerson\\PAC" AND NOT ImagePath starts with '"'