CVE-2019-25283 Overview
CVE-2019-25283 is a high-severity unquoted service path vulnerability affecting Shrew Soft VPN Client version 2.2.2. This vulnerability allows local users to execute arbitrary code with elevated system privileges by exploiting the improper handling of service executable paths during Windows service startup.
When a Windows service path contains spaces and is not enclosed in quotation marks, the operating system may attempt to execute unexpected executables placed strategically in the path hierarchy. Attackers with local access can leverage this weakness to place malicious executables that will be executed with SYSTEM-level privileges when the VPN service starts or during system reboot.
Critical Impact
Local attackers can achieve full system compromise by placing a malicious executable in the unquoted service path, gaining SYSTEM-level privileges upon service startup or system reboot.
Affected Products
- Shrew Soft VPN Client 2.2.2
- Windows systems running the Shrew Soft VPN Client iked service
Discovery Timeline
- 2026-02-05 - CVE-2019-25283 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2019-25283
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows-specific security issue. The Shrew Soft VPN Client installs a service with an executable path that contains spaces but lacks proper quotation marks around the path string in the Windows registry.
When Windows attempts to start a service with an unquoted path containing spaces, it sequentially attempts to locate and execute files at each space-delimited segment of the path. For example, if the service path is C:\Program Files\Shrew Soft\VPN Client\iked.exe, Windows will attempt to execute in order:
- C:\Program.exe
- C:\Program Files\Shrew.exe
- C:\Program Files\Shrew Soft\VPN.exe
- C:\Program Files\Shrew Soft\VPN Client\iked.exe
If an attacker can place a malicious executable at any of the earlier path locations, it will be executed with the privileges of the service account—typically SYSTEM.
Root Cause
The root cause of this vulnerability lies in the improper registration of the VPN client's service executable path in the Windows Service Control Manager. During installation, the service path was registered without enclosing quotation marks, leaving it susceptible to path interpretation attacks when spaces exist in directory names.
Attack Vector
This is a local attack vector requiring the attacker to have write access to at least one directory in the service path hierarchy. The attack requires:
- Local access to the target system
- Write permissions to a directory such as C:\ or C:\Program Files\Shrew Soft\
- The ability to place a malicious executable (e.g., Program.exe or Shrew.exe)
- A system reboot or service restart to trigger execution
The vulnerability does not require user interaction once the malicious executable is in place, as the service startup process will automatically execute it with elevated privileges.
For detailed technical information and proof-of-concept details, refer to the Exploit-DB entry #47660 and the VulnCheck Advisory.
Detection Methods for CVE-2019-25283
Indicators of Compromise
- Unexpected executables named Program.exe, Shrew.exe, or VPN.exe in C:\ or C:\Program Files\ directories
- New processes spawning with SYSTEM privileges from unusual executable locations
- Suspicious service startup events in Windows Event Logs correlating with unexpected process execution
- File creation or modification events in root directories or parent paths of the VPN client installation
Detection Strategies
- Query the Windows registry for unquoted service paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }
- Monitor for file creation events in directories that are part of the unquoted service path hierarchy
- Implement application whitelisting to prevent unauthorized executables from running with elevated privileges
- Use SentinelOne's behavioral AI to detect anomalous process spawning from unexpected paths
Monitoring Recommendations
- Enable detailed auditing of file system changes in C:\ and C:\Program Files\ directories
- Configure alerts for service-related Event IDs (7000, 7009, 7034) that may indicate service startup anomalies
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation patterns
- Regularly audit installed services for unquoted path vulnerabilities across the enterprise
How to Mitigate CVE-2019-25283
Immediate Actions Required
- Audit all systems running Shrew Soft VPN Client 2.2.2 for unquoted service paths
- Manually correct the service path in the Windows registry by adding quotation marks around the executable path
- Restrict write permissions to directories in the service path hierarchy to administrators only
- Consider replacing Shrew Soft VPN Client with an actively maintained VPN solution
Patch Information
No official patch has been identified in the available CVE data. The Shrew Soft VPN Client appears to be legacy software, and users should verify with the Shrew Soft Homepage for any available updates or consider migrating to alternative VPN solutions.
For organizations that must continue using this software, manual remediation of the unquoted service path is required.
Workarounds
- Manually quote the service path in the registry at HKLM\SYSTEM\CurrentControlSet\Services\iked by enclosing the ImagePath value in quotation marks
- Remove write permissions for non-administrative users from C:\ and C:\Program Files\ directories
- Implement application control policies to block execution of unexpected executables in common exploitation paths
- Deploy file integrity monitoring on directories susceptible to exploitation
# Registry fix to quote the service path (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\iked" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Shrew Soft\VPN Client\iked.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
