CVE-2022-50938
📋 TL;DR
CVE-2022-50938 is an unquoted service path vulnerability in CONTPAQi AdminPAQ 14.0.0 that allows attackers to inject malicious code into the service binary path. When exploited, this can lead to arbitrary code execution with LocalSystem privileges during service startup. Organizations using AdminPAQ 14.0.0 on Windows systems are affected.
💻 Affected Systems
- CONTPAQi AdminPAQ
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges leading to complete control of the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to persistence mechanisms, credential harvesting, and installation of additional malware.
If Mitigated
Limited impact due to proper access controls, service hardening, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to directories in the service path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0.1 or later
Vendor Advisory: https://www.contpaqi.com/descargas
Restart Required: Yes
Instructions:
1. Download the latest version from CONTPAQi's website. 2. Install the update following vendor instructions. 3. Restart the system to ensure the service is updated.
🔧 Temporary Workarounds
Add quotes to service path
windowsManually add quotes around the service binary path in the Windows registry to prevent path interpretation issues.
sc config AppKeyLicenseServer binPath= "C:\Program Files\CONTPAQi\AdminPAQ\AppKeyLicenseServer.exe"
Restrict directory permissions
windowsRemove write permissions for non-administrative users on directories in the service path.
icacls "C:\Program Files\CONTPAQi\AdminPAQ" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing to directories in the service path.
- Monitor for suspicious service modifications and unauthorized file creation in system directories.
🔍 How to Verify
Check if Vulnerable:
Check if AppKeyLicenseServer service path is unquoted: sc qc AppKeyLicenseServer | findstr BINARY_PATH_NAMECheck Version:
Check AdminPAQ version through the application interface or installation directory propertiesVerify Fix Applied:
Verify service path has quotes: sc qc AppKeyLicenseServer | findstr BINARY_PATH_NAME and check for version 14.0.1+📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications (Event ID 7040)
- Unexpected service restarts or failures
- Creation of executable files in system directories by non-admin users
Network Indicators:
- Unusual outbound connections from the AdminPAQ service
- Network scanning from the affected system
SIEM Query:
EventID=7040 AND ServiceName="AppKeyLicenseServer" OR ProcessCreation WHERE ImagePath contains "AppKeyLicenseServer" AND CommandLine contains unusual parameters