CVE-2023-54336
📋 TL;DR
CVE-2023-54336 is an unquoted service path vulnerability in Mediconta 3.7.27 that allows local attackers to execute arbitrary code with LocalSystem privileges. This occurs because the service path C:\Program Files (x86)\medicont3\ is unquoted, enabling attackers to place malicious executables in directories that Windows will execute during service startup. Organizations running Mediconta 3.7.27 on Windows systems are affected.
💻 Affected Systems
- Mediconta
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing attackers to install persistent backdoors, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to persistence establishment, credential harvesting, and lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and service hardening are implemented.
🎯 Exploit Status
Exploit requires local access to create malicious executables in the unquoted path. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.infonetsoftware.com
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. Uninstall vulnerable version. 3. Install patched version if available. 4. Restart system.
🔧 Temporary Workarounds
Add quotes to service path
windowsModify the service configuration to include quotes around the executable path
sc config servermedicontservice binPath= "C:\Program Files (x86)\medicont3\servermedicontservice.exe"
Restrict directory permissions
windowsRemove write permissions for non-administrative users on the affected directories
icacls "C:\Program Files (x86)\medicont3" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to monitor for service path manipulation attempts
- Apply principle of least privilege and restrict local user permissions on affected systems
🔍 How to Verify
Check if Vulnerable:
Check if Mediconta 3.7.27 is installed and verify the service path is unquoted using: sc qc servermedicontserviceCheck Version:
Check program version in Control Panel > Programs and Features or via registry: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i medicontaVerify Fix Applied:
Verify the service path now contains quotes and directory permissions are restricted📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7045: Service installation
- Unexpected service path modifications
- Creation of executables in C:\Program Files (x86)\medicont3\ directory
Network Indicators:
- Unusual outbound connections from systems running Mediconta
- Lateral movement attempts from affected systems
SIEM Query:
EventID=7045 AND (ServiceName="servermedicontservice" OR ImagePath="*medicont3*")