The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2019-25274

CVE-2019-25274: ProShow Producer Privilege Escalation Flaw

CVE-2019-25274 is a privilege escalation vulnerability in ProShow Producer 9.0.3797 caused by an unquoted service path in ScsiAccess. Attackers can execute code with LocalSystem privileges. This article covers affected versions, impact, and mitigation strategies.

Published: February 6, 2026

CVE-2019-25274 Overview

ProShow Producer 9.0.3797 contains an unquoted service path vulnerability in the ScsiAccess service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup.

Critical Impact

Local attackers with write permissions to the service path can achieve privilege escalation to LocalSystem by placing a malicious executable in the unquoted path, enabling complete system compromise.

Affected Products

  • ProShow Producer version 9.0.3797
  • ScsiAccess service component
  • Windows systems running affected ProShow Producer installations

Discovery Timeline

  • 2026-02-05 - CVE-2019-25274 published to NVD
  • 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2019-25274

Vulnerability Analysis

This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a class of flaws where the software constructs a service executable path without proper quotation marks. When Windows attempts to start a service with an unquoted path containing spaces, it parses the path in a predictable manner that can be exploited by attackers.

The ScsiAccess service in ProShow Producer 9.0.3797 registers its executable path without enclosing quotes. When the path contains directory names with spaces (common in Windows installations like C:\Program Files\), Windows interprets each space as a potential argument delimiter and attempts to execute files at each truncation point sequentially.

Root Cause

The root cause stems from improper service registration where the ImagePath registry value for the ScsiAccess service was set without surrounding quotation marks. When installing the service, the application failed to properly escape or quote the binary path, creating an exploitable condition. This is a common oversight during software development when using Windows service installation APIs or manual registry manipulation without proper path sanitization.

Attack Vector

This is a local attack vector requiring the attacker to have local access to the vulnerable system. The exploitation process involves:

  1. Identifying the unquoted service path for ScsiAccess
  2. Locating a writable directory within the path where a malicious executable can be placed
  3. Dropping a payload named to match the expected truncation point (e.g., Program.exe in C:\)
  4. Waiting for or triggering a service restart, which causes Windows to execute the malicious binary with LocalSystem privileges

The attacker needs write access to one of the intermediate directories in the service path. For example, if the service path is C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe, an attacker with write access to C:\ could place Program.exe there. When the service restarts, Windows first attempts to execute C:\Program.exe before finding the correct path.

For detailed technical information about this vulnerability, see the VulnCheck Advisory for ProShow and Exploit-DB #47705.

Detection Methods for CVE-2019-25274

Indicators of Compromise

  • Unexpected executables named Program.exe, Photodex.exe, or similar in root directories or intermediate paths
  • New executable files appearing in C:\ or C:\Program Files\ directories that don't belong to legitimate software
  • Service execution logs showing unusual process spawning from the ScsiAccess service context
  • Unauthorized processes running with LocalSystem privileges that correlate with service start times

Detection Strategies

  • Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^".*"$' -and $_.PathName -match ' ' }
  • Monitor file system changes in root directories and common unquoted path locations for new executable files
  • Implement application whitelisting to prevent execution of unauthorized binaries in sensitive paths
  • Review Windows Event Logs (Event ID 7045) for service installation and changes to service configurations

Monitoring Recommendations

  • Deploy endpoint detection rules to alert on executable file creation in C:\ and C:\Program Files\ directories
  • Monitor the ScsiAccess service for unexpected child process execution
  • Implement file integrity monitoring on directories commonly targeted by unquoted service path exploits
  • Configure SIEM rules to correlate service startup events with unusual process behavior

How to Mitigate CVE-2019-25274

Immediate Actions Required

  • Audit all installed services for unquoted paths and remediate by adding quotation marks to the ImagePath registry values
  • Restrict write permissions on root directories and intermediate paths where malicious executables could be planted
  • Consider uninstalling ProShow Producer if not actively required, as Photodex has discontinued the product
  • Implement application control policies to prevent unauthorized executable files from running

Patch Information

ProShow Producer is a discontinued product from Photodex, and no official patch is available for this vulnerability. Organizations using this software should consider migrating to alternative solutions. For more information about the vendor, visit the Photodex Homepage.

Workarounds

  • Manually fix the unquoted service path by modifying the registry ImagePath value to include quotation marks around the executable path
  • Remove write permissions from intermediate directories in the service path for non-administrative users
  • Disable or remove the ScsiAccess service if SCSI device access is not required for your workflows
  • Deploy endpoint protection solutions like SentinelOne that can detect and block privilege escalation attempts via unquoted service paths
bash
# Configuration example - Fix unquoted service path via registry
# Run as Administrator in PowerShell
$servicePath = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ScsiAccess" -Name ImagePath).ImagePath
if ($servicePath -notmatch '^".*"$') {
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ScsiAccess" -Name ImagePath -Value "`"$servicePath`""
    Write-Host "Service path has been quoted successfully"
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechProshow Producer
  • SeverityHIGH
  • CVSS Score8.5
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-428
  • Technical References
  • Photodex Homepage
  • Exploit-DB #47705
  • VulnCheck Advisory for ProShow
  • Latest CVEs
  • CVE-2026-35467: Browser API Key Information Disclosure
  • CVE-2026-35466: cveInterface.js XSS Vulnerability
  • CVE-2026-30252: ZenShare Suite XSS Vulnerability
  • CVE-2026-30251: ZenShare Suite v17.0 XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English