CVE-2022-50935
📋 TL;DR
CVE-2022-50935 is an unquoted service path vulnerability in the Flame II HSPA USB Modem software for Windows. Attackers can exploit this to execute arbitrary code with SYSTEM privileges by placing malicious executables in strategic locations. Users of the Flame II HSPA USB Modem with the vulnerable software installed on Windows systems are affected.
💻 Affected Systems
- Flame II HSPA USB Modem software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, pivot to other systems, or deploy ransomware.
Likely Case
Local privilege escalation leading to malware installation or credential theft from the compromised system.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application whitelisting are in place.
🎯 Exploit Status
Exploitation requires local access to the Windows system. The exploit is straightforward once an attacker has local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: N/A
Restart Required: No
Instructions:
No official patch available. Remove the vulnerable software or apply workarounds.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service configuration to use quoted paths in the service executable path.
sc config "ServiceName" binPath= "\"C:\Program Files (x86)\Internet Telcel\ApplicationController.exe\""
Remove Vulnerable Software
windowsUninstall the Flame II HSPA USB Modem software if not needed.
Control Panel > Programs > Uninstall a program > Select 'Flame II HSPA USB Modem' > Uninstall
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent execution of unauthorized binaries.
- Enforce least privilege principles and restrict local access to systems with this software installed.
🔍 How to Verify
Check if Vulnerable:
Check if the service path for the modem software is unquoted: sc qc "ServiceName" | findstr BINARY_PATH_NAMECheck Version:
No specific version check; vulnerability exists in all versions with the unquoted path.Verify Fix Applied:
Verify the service path is quoted: sc qc "ServiceName" | findstr BINARY_PATH_NAME should show quoted path.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (ID 7045) showing service path modifications
- Unexpected processes running from unusual locations in C:\Program Files (x86)\Internet Telcel\
Network Indicators:
- Unusual outbound connections from the system after local compromise
SIEM Query:
source="Windows" AND event_id=7045 AND (service_name="*Flame*" OR service_name="*Telcel*")