CVE-2019-25293 Overview
BlueStacks App Player version 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service. This security flaw allows local attackers to potentially execute arbitrary code by exploiting the unquoted path in C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe. By placing a malicious executable in a strategic location along the service path, attackers can hijack the service execution flow and escalate privileges on the affected system.
Critical Impact
Local attackers can exploit this unquoted service path to execute malicious code with elevated privileges, potentially gaining full control of the affected Windows system.
Affected Products
- BlueStacks App Player 2.4.44.62.57
- BstHdLogRotatorSvc Windows Service
- Windows systems running vulnerable BlueStacks installations
Discovery Timeline
- 2026-02-06 - CVE CVE-2019-25293 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2019-25293
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a common Windows service configuration flaw. When Windows services are installed with executable paths containing spaces but without proper quotation marks, the operating system's path resolution mechanism can be manipulated.
The vulnerable service BstHdLogRotatorSvc references its executable at C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe. Because this path contains spaces (in "Program Files (x86)") and is not enclosed in quotation marks, Windows attempts to resolve the path by progressively trying different interpretations of where the spaces might indicate filename boundaries.
Root Cause
The root cause of this vulnerability is improper service registration in the Windows Service Control Manager. When the BlueStacks installer registered the BstHdLogRotatorSvc service, it failed to wrap the executable path in double quotes. This configuration oversight creates an exploitable condition where Windows attempts to execute files in the following order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
If an attacker can place a malicious executable at C:\Program.exe or C:\Program Files.exe, Windows will execute that file instead of the legitimate service binary.
Attack Vector
This is a local attack vector requiring the attacker to have write access to the root of the C:\ drive or the C:\Program Files directory. When the vulnerable service starts (either at system boot or through manual restart), Windows will execute the attacker's malicious binary with the privileges of the service—typically SYSTEM-level privileges.
The attack requires the following conditions:
- Local access to the affected system
- Write permissions to C:\ or C:\Program Files
- The ability to trigger a service restart or wait for system reboot
For detailed technical analysis and proof-of-concept information, see the Exploit-DB #47582 advisory or the VulnCheck Advisory.
Detection Methods for CVE-2019-25293
Indicators of Compromise
- Unexpected executable files at C:\Program.exe or C:\Program Files.exe
- Unusual child processes spawned by the BstHdLogRotatorSvc service
- Service crash events or unexpected restarts of BlueStacks services
- New user accounts or privilege changes coinciding with service activity
Detection Strategies
- Query Windows services for unquoted paths using wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ to identify vulnerable services
- Monitor file creation events in the root C:\ directory and C:\Program Files\ for executable files
- Use endpoint detection and response (EDR) solutions to flag process execution anomalies from service contexts
- Implement Windows Event Log monitoring for Service Control Manager events (Event ID 7000, 7009, 7034)
Monitoring Recommendations
- Enable file integrity monitoring on system root directories
- Configure alerts for any new executable files created in C:\ or C:\Program Files\ directories
- Monitor BlueStacks service behavior for unexpected child process creation
- Implement SentinelOne's Storyline technology to track process ancestry and detect privilege escalation attempts
How to Mitigate CVE-2019-25293
Immediate Actions Required
- Audit all installed services for unquoted paths using system enumeration tools
- Restrict write permissions on system root directories (C:\ and C:\Program Files\)
- Update BlueStacks to the latest version that addresses this vulnerability
- Consider removing BlueStacks if not actively required in your environment
Patch Information
Users should update BlueStacks App Player to a version newer than 2.4.44.62.57 that properly quotes the service executable path. Visit the BlueStacks Homepage for the latest software releases. Organizations should verify that updated versions have properly quoted service paths before deployment.
Workarounds
- Manually fix the service path by adding quotes: Open Registry Editor, navigate to HKLM\SYSTEM\CurrentControlSet\Services\BstHdLogRotatorSvc, and modify the ImagePath value to wrap the path in double quotes
- Remove write permissions for non-administrative users on C:\ and C:\Program Files\ directories
- Disable the BstHdLogRotatorSvc service if log rotation functionality is not required
- Implement application whitelisting to prevent unauthorized executable execution
# Fix unquoted service path via command line (run as Administrator)
sc config BstHdLogRotatorSvc binPath= "\"C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe\""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
