CVE-2019-25276 Overview
Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions.
Critical Impact
Local privilege escalation to LocalSystem through unquoted service path exploitation in industrial control system software
Affected Products
- Studio 5000 Logix Designer 30.01.00
- FactoryTalk Activation Service
- Rockwell Automation Industrial Control Systems
Discovery Timeline
- 2026-02-05 - CVE CVE-2019-25276 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2019-25276
Vulnerability Analysis
This vulnerability (CWE-428: Unquoted Search Path or Element) exists in the FactoryTalk Activation Service component of Studio 5000 Logix Designer. The service executable path contains spaces but is not enclosed in quotation marks within the Windows service configuration. When Windows attempts to locate and execute the service binary, it parses the path sequentially at each space character, allowing an attacker to place a malicious executable at an intermediate path location.
The vulnerable service path C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ is parsed by Windows in the following order: first attempting C:\Program.exe, then C:\Program Files.exe, then C:\Program Files (x86)\Rockwell.exe, and so forth. An attacker with write access to any of these intermediate directories can plant a malicious executable that Windows will execute instead of the legitimate service binary.
Root Cause
The root cause of this vulnerability is the failure to properly quote the service executable path during installation or configuration of the FactoryTalk Activation Service. Windows services with paths containing spaces must be enclosed in double quotes to prevent path parsing ambiguity. This is a common configuration oversight in software installers that fail to sanitize service registration entries.
Attack Vector
The attack requires local access to the system with sufficient privileges to write to one of the intermediate path locations. In many enterprise environments, users may have write access to directories like C:\ or subdirectories that precede the intended executable path. When the service restarts (either through system reboot, manual restart, or service recovery actions), the planted malicious executable runs with LocalSystem privileges, granting the attacker full control over the system.
This is particularly concerning in industrial control system (ICS) environments where Studio 5000 Logix Designer is deployed, as compromised engineering workstations could be leveraged to pivot into operational technology networks. For additional technical details and proof-of-concept information, refer to the Exploit-DB entry #47676 and the Vulncheck Advisory.
Detection Methods for CVE-2019-25276
Indicators of Compromise
- Unexpected executable files in root directories such as C:\Program.exe or C:\Program Files.exe
- New executables named Rockwell.exe or FactoryTalk.exe in parent directories of the legitimate installation path
- Service startup failures followed by successful execution with different behavior patterns
- Unusual processes spawning from LocalSystem account at service startup times
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -match ' ' }
- Monitor file creation events in C:\, C:\Program Files\, and C:\Program Files (x86)\ directories for unexpected executables
- Deploy SentinelOne endpoint detection to identify privilege escalation attempts and suspicious service behavior
- Audit service configurations during vulnerability scans to identify unquoted service paths
Monitoring Recommendations
- Enable file integrity monitoring on common unquoted path exploitation directories
- Configure alerting for new service registrations or modifications to existing service paths
- Monitor process creation events for executables running as LocalSystem from unexpected locations
- Implement SentinelOne behavioral AI to detect exploitation patterns associated with privilege escalation
How to Mitigate CVE-2019-25276
Immediate Actions Required
- Audit all services on affected systems for unquoted paths using Windows Management Instrumentation (WMI) queries
- Remove any suspicious executables found in intermediate path directories
- Restrict write permissions on root and Program Files directories to administrators only
- Contact Rockwell Automation for updated installers or patches addressing this vulnerability
Patch Information
Organizations should contact Rockwell Automation directly for official patch information and updated software versions that address the unquoted service path vulnerability. Review the Vulncheck Advisory for additional remediation guidance.
Workarounds
- Manually quote the service path in the Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath
- Restrict NTFS permissions on potential hijack directories to prevent non-administrator write access
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use SentinelOne to block unauthorized executables from running in sensitive directories
# Registry fix to quote the service path
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FactoryTalk Activation Service" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ServiceName.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
