CVE-2023-31747 – Wondershare Filmora 12 contains an unquoted ser... (How to Fix)

Q: What is the severity of CVE-2023-31747?

CVE-2023-31747 has a CVSS score of 7.8 (HIGH). Wondershare Filmora 12 contains an unquoted service path vulnerability in the NativePushService component. This allows attackers with local access to execute arbitrary code with elevated SYSTEM privileges by placing malicious executables in specific directories. All users running the vulnerable version are affected.

📋 TL;DR

Wondershare Filmora 12 contains an unquoted service path vulnerability in the NativePushService component. This allows attackers with local access to execute arbitrary code with elevated SYSTEM privileges by placing malicious executables in specific directories. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Wondershare Filmora

Versions: 12.2.1.2088 (specific build mentioned), likely affects other Filmora 12 versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system. The NativePushService runs with elevated privileges by default.

📦 What is this software?

Filmora by Wondershare

View all CVEs affecting Filmora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and complete control of the affected system.

🟠

Likely Case

Local privilege escalation leading to malware execution, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper endpoint security controls block unauthorized process execution and monitor for privilege escalation attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Attackers with initial access to a user account can escalate to SYSTEM privileges, enabling lateral movement and persistence.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details published on Packet Storm Security. Requires local access and ability to write to directories with spaces in the service path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found in provided references

Restart Required: Yes

Instructions:

1. Check Wondershare website for security updates. 2. Update to latest Filmora version if patch available. 3. Restart system after update.

🔧 Temporary Workarounds

Apply quotes to service path

windows

Manually add quotes around the service executable path in Windows Registry

reg add "HKLM\SYSTEM\CurrentControlSet\Services\NativePushService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Wondershare\Filmora 12\NativePushService.exe\"" /f

Remove vulnerable service

windows

Disable or remove the NativePushService if not required

sc stop NativePushService
sc delete NativePushService

🧯 If You Can't Patch

Restrict write permissions to directories in the service path (especially those with spaces)
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check if NativePushService exists and has unquoted path: sc qc NativePushService | findstr /i "BINARY_PATH_NAME"

Check Version:

Check Filmora version in Help > About or via installed programs list

Verify Fix Applied:

Verify service path has quotes: sc qc NativePushService | findstr /i "BINARY_PATH_NAME" and check for surrounding quotes

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 4688 (process creation) showing unexpected processes running as SYSTEM from Filmora directories
Service control manager events for NativePushService modifications

Network Indicators:

Unusual outbound connections from SYSTEM-level processes

SIEM Query:

source="WinEventLog:Security" EventID=4688 AND NewProcessName="*NativePushService*" AND IntegrityLevel="System"

📊 Metadata

CVE ID: CVE-2023-31747

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: May 23, 2023

Last Updated: January 21, 2025

🔗 References

http://filmora.com Not Applicable
http://wondershare.com Product
https://packetstormsecurity.com/files/172464/Filmora-12-Build-1.0.0.7-Unquoted-Service-Path.html Exploit,Third Party Advisory,VDB Entry
http://filmora.com Not Applicable
http://wondershare.com Product
https://packetstormsecurity.com/files/172464/Filmora-12-Build-1.0.0.7-Unquoted-Service-Path.html Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31747, you might also want to check these: