CVE-2019-25302 Overview
CVE-2019-25302 is a privilege escalation vulnerability affecting Acer Launch Manager version 6.1.7600.16385. The vulnerability exists due to an unquoted service path in the DsiWMIService component. This flaw allows local attackers to potentially execute arbitrary code with elevated (SYSTEM-level) privileges by exploiting the way Windows handles unquoted service paths containing spaces.
Critical Impact
Local privilege escalation to SYSTEM through unquoted service path exploitation in Acer Launch Manager's DsiWMIService component.
Affected Products
- Acer Launch Manager version 6.1.7600.16385
- Windows systems with DsiWMIService installed via Acer Launch Manager
- Acer devices with pre-installed Launch Manager software
Discovery Timeline
- 2026-02-06 - CVE CVE-2019-25302 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2019-25302
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). The issue arises because the service executable path C:\Program Files (x86)\Launch Manager\dsiwmis.exe contains spaces and is not properly enclosed in quotation marks in the Windows service configuration. When Windows attempts to start a service with an unquoted path containing spaces, it searches for the executable by parsing the path at each space character, attempting to execute files in unexpected locations.
The local attack vector means an attacker must have initial access to the target system. Once access is obtained, the attacker can place a malicious executable in a strategic location along the unquoted path to achieve code execution with SYSTEM privileges when the service starts or restarts.
Root Cause
The root cause is improper configuration of the Windows service registration for DsiWMIService. During installation, the Acer Launch Manager software registers the service path without enclosing the executable path in quotation marks. This is a common oversight in Windows software installations where developers fail to account for path parsing behavior when paths contain spaces. The correct configuration should wrap the path in quotes: "C:\Program Files (x86)\Launch Manager\dsiwmis.exe".
Attack Vector
When the DsiWMIService starts, Windows parses the unquoted path C:\Program Files (x86)\Launch Manager\dsiwmis.exe from left to right, checking for executables at each space boundary. This creates exploitation opportunities at multiple locations:
- Windows first checks for C:\Program.exe
- If not found, it checks for C:\Program Files.exe
- Then C:\Program Files (x86)\Launch.exe
- Finally, it finds the intended C:\Program Files (x86)\Launch Manager\dsiwmis.exe
An attacker with write permissions to C:\ or C:\Program Files (x86)\ can place a malicious executable named Program.exe or Launch.exe respectively. When the service starts (either on system boot or manual restart), the malicious executable runs with SYSTEM privileges. For technical exploitation details, see the Exploit-DB #47577 entry or the VulnCheck Advisory on Acer.
Detection Methods for CVE-2019-25302
Indicators of Compromise
- Unexpected executables named Program.exe, Launch.exe, or similar variants in C:\ or C:\Program Files (x86)\ directories
- Unusual process spawns from service execution with SYSTEM privileges
- Modified service registry entries or newly created executables along the unquoted service path
- Event log entries showing service failures or unexpected restarts of DsiWMIService
Detection Strategies
- Query Windows services for unquoted paths using: wmic service get name,pathname | findstr /i /v """"
- Monitor file creation events in root directories and Program Files directories for suspicious executables
- Implement endpoint detection rules for privilege escalation patterns involving service manipulation
- Use SentinelOne's Storyline technology to correlate service startup events with anomalous executable launches
Monitoring Recommendations
- Enable Windows Security Event logging for service changes (Event ID 7045) and process creation (Event ID 4688)
- Configure file integrity monitoring on directories vulnerable to path hijacking attacks
- Deploy behavioral analysis rules to detect SYSTEM-level process spawning from unexpected locations
- Establish baseline service configurations and alert on deviations from expected executable paths
How to Mitigate CVE-2019-25302
Immediate Actions Required
- Audit all Windows services for unquoted paths using sc qc or PowerShell service queries
- Verify file permissions on root drives and Program Files directories restrict write access to administrators only
- Remove any unauthorized executables found in potential hijack locations along the service path
- Consider disabling the DsiWMIService if not required for system operation until properly patched
Patch Information
Check with Acer Official Website for updated versions of Launch Manager that properly quote the service path. If no official patch is available, manual remediation of the service path configuration is recommended. The VulnCheck Advisory on Acer provides additional remediation guidance.
Workarounds
- Manually correct the service path by adding quotation marks to the ImagePath registry value
- Restrict write permissions to directories along the unquoted path to prevent malicious file placement
- Implement application whitelisting to prevent unauthorized executables from running with elevated privileges
- Use SentinelOne's policy enforcement to block execution of unsigned executables in sensitive directories
# Configuration example - Fix unquoted service path manually
# Run as Administrator in Command Prompt
sc config DsiWMIService binPath= "\"C:\Program Files (x86)\Launch Manager\dsiwmis.exe\""
# Alternatively, use Registry Editor to modify:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsiWMIService
# Change ImagePath value to include quotes around the path
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
