CVE-2019-25272 Overview
CVE-2019-25272 is an unquoted service path vulnerability affecting TexasSoft CyberPlanet 6.4.131. The vulnerability exists in the CCSrvProxy service, which runs with elevated system privileges. Due to improper quoting of the service executable path C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe, local attackers can exploit this weakness to execute arbitrary code with SYSTEM-level privileges.
This type of vulnerability (CWE-428: Unquoted Search Path or Element) occurs when Windows services are configured with paths containing spaces that are not enclosed in quotation marks. Windows interprets the unquoted path ambiguously, attempting to execute binaries at multiple locations along the path hierarchy before reaching the intended executable.
Critical Impact
Local attackers with write access to C:\Program Files (x86)\TenaxSoft\ or C:\Program.exe locations can achieve privilege escalation to SYSTEM-level access by placing a malicious executable in the service's search path.
Affected Products
- TexasSoft CyberPlanet 6.4.131
- CCSrvProxy Service (SrvProxy.exe)
- TenaxSoft CyberPlanet installations with default service configuration
Discovery Timeline
- 2026-02-05 - CVE-2019-25272 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2019-25272
Vulnerability Analysis
The vulnerability stems from the CCSrvProxy Windows service being registered with an unquoted executable path. When Windows attempts to start a service with a path like C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe without quotation marks, the Service Control Manager (SCM) parses the path in segments, attempting to execute binaries at each space-delimited boundary.
The attack surface requires local access to the target system and write permissions to one of the directories in the search path hierarchy. Successful exploitation results in arbitrary code execution with the privileges of the vulnerable service, typically SYSTEM-level access for Windows services.
The local attack vector means this vulnerability is most dangerous in multi-user environments, shared workstations, or scenarios where an attacker has gained initial low-privilege access and seeks privilege escalation for lateral movement.
Root Cause
The root cause is improper service registration in the Windows registry. The service path stored in HKLM\SYSTEM\CurrentControlSet\Services\CCSrvProxy\ImagePath lacks quotation marks around the executable path. This configuration error causes Windows to interpret spaces in directory names as argument delimiters, creating an unintended file search order vulnerability.
When the service starts, Windows sequentially attempts to execute:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe
If an attacker places a malicious executable at any of the earlier locations and has sufficient permissions, their code will execute instead of the legitimate service binary.
Attack Vector
This is a local privilege escalation attack requiring an attacker to have initial access to the system with write permissions to a directory in the service's search path. The attack follows this general pattern:
- Reconnaissance: Attacker identifies services with unquoted paths using tools like wmic service get name,displayname,pathname,startmode or PowerShell queries
- Permission Check: Attacker verifies write access to a directory in the search path hierarchy
- Payload Placement: A malicious executable is placed in the vulnerable path location (e.g., C:\Program.exe or C:\Program Files (x86)\TenaxSoft\CyberPlanet.exe)
- Service Restart Trigger: Attacker waits for or triggers a service restart (system reboot, service failure, or if they have service control permissions)
- Code Execution: The malicious binary executes with the service's privileges (typically SYSTEM)
For detailed technical analysis and proof-of-concept information, refer to the Exploit-DB entry #47724 and the VulnCheck Advisory.
Detection Methods for CVE-2019-25272
Indicators of Compromise
- Unexpected executables named Program.exe, Program Files.exe, or CyberPlanet.exe in parent directories of the legitimate service path
- New or modified executables in C:\, C:\Program Files (x86)\, or C:\Program Files (x86)\TenaxSoft\ directories
- Service failure events for CCSrvProxy followed by suspicious process execution
- Registry modifications to the CCSrvProxy service ImagePath value
Detection Strategies
- Monitor file creation events in C:\, C:\Program Files (x86)\, and C:\Program Files (x86)\TenaxSoft\ directories for unexpected executable files
- Audit Windows registry for services with unquoted paths containing spaces using automated scanning tools or SIEM queries
- Deploy endpoint detection rules to alert on new executables created in root directories or Program Files subdirectories
- Track process lineage to identify child processes spawned by the CCSrvProxy service that deviate from expected behavior
Monitoring Recommendations
- Enable Windows Security Event logging for service start events (Event ID 7036) and correlate with process creation (Event ID 4688)
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized executable placement
- Use SentinelOne's behavioral AI to detect anomalous process execution patterns associated with privilege escalation attempts
- Configure alerts for any modification to the CCSrvProxy service registry keys
How to Mitigate CVE-2019-25272
Immediate Actions Required
- Audit the CCSrvProxy service path in the Windows registry and add quotation marks around the executable path
- Review file system permissions on C:\, C:\Program Files (x86)\, and intermediate directories to restrict write access to administrators only
- Check for any suspicious executables already present in the service search path locations and remove or quarantine them
- Consider disabling the CCSrvProxy service if not required until a vendor patch is available
Patch Information
No vendor patch information is currently available in the CVE data. System administrators should contact TenaxSoft directly for guidance on obtaining updated software with properly quoted service paths. In the absence of a vendor patch, manual registry remediation is recommended.
Workarounds
- Manually correct the service path by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\CCSrvProxy\ImagePath to include quotation marks: "C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe"
- Restrict write permissions on all directories in the service path hierarchy to prevent unauthorized executable placement
- Implement application whitelisting policies (Windows Defender Application Control or AppLocker) to prevent execution of unsigned binaries in system directories
- Deploy endpoint protection solutions like SentinelOne to detect and block privilege escalation attempts
# Registry fix command (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\CCSrvProxy" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
