CVE-2021-47767 Overview
CVE-2021-47767 is an unquoted service path vulnerability affecting 10-Strike Network Inventory Explorer Pro version 9.31. The vulnerability exists in the srvInventoryWebServer service, which runs with LocalSystem privileges. Attackers with local access can exploit this flaw by placing malicious executables in potential path segments, achieving privilege escalation and executing arbitrary code with system-level permissions.
Critical Impact
Local attackers can escalate privileges to SYSTEM level by exploiting the unquoted service path, potentially gaining complete control over the affected system.
Affected Products
- 10-Strike Network Inventory Explorer Pro 9.31
- srvInventoryWebServer service component
Discovery Timeline
- 2026-01-15 - CVE-2021-47767 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47767
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration that can lead to privilege escalation. The srvInventoryWebServer service in 10-Strike Network Inventory Explorer Pro 9.31 is configured with a service binary path that contains spaces but is not enclosed in quotation marks.
When Windows attempts to start a service with an unquoted path containing spaces, it parses the path from left to right, attempting to find an executable at each space boundary. For example, if the service path is C:\Program Files\10-Strike\Network Inventory\service.exe, Windows will attempt to execute in order:
- C:\Program.exe
- C:\Program Files\10-Strike\Network.exe
- C:\Program Files\10-Strike\Network Inventory\service.exe
An attacker who can write to any of these intermediate locations can place a malicious executable that will be executed with the service's privileges—in this case, LocalSystem, the highest privilege level on a Windows system.
Root Cause
The root cause is improper quoting of the service binary path in the Windows Service Control Manager (SCM) configuration. When the 10-Strike Network Inventory Explorer Pro installer registers the srvInventoryWebServer service, it fails to enclose the executable path in double quotes, despite the path containing space characters. This is a developer oversight during the installation routine that creates the service entry in the Windows registry.
Attack Vector
This vulnerability requires local access to the target system. The attack vector involves an authenticated local user who has write permissions to one of the intermediate path locations that Windows will attempt to resolve. The attacker must:
- Identify the unquoted service path for srvInventoryWebServer
- Determine which intermediate path locations are writable
- Place a malicious executable (e.g., Program.exe or Network.exe) in the writable location
- Wait for or trigger a service restart
Upon service restart, Windows will execute the attacker's malicious payload with LocalSystem privileges, effectively granting the attacker complete control over the system. This attack is particularly dangerous in enterprise environments where standard users may have write access to certain directories.
The vulnerability can be verified by querying the service configuration using the Windows sc command or by examining the service entries in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvInventoryWebServer.
Detection Methods for CVE-2021-47767
Indicators of Compromise
- Unexpected executables in root directories such as C:\Program.exe or similar locations along the service path
- Unusual process execution events where Program.exe or Network.exe spawns with SYSTEM privileges
- Service start failures followed by execution of unexpected binaries
- Registry modifications to the srvInventoryWebServer service ImagePath value
Detection Strategies
- Monitor for file creation events in common unquoted path exploitation directories (e.g., C:\, C:\Program Files\)
- Audit service configurations using tools like PowerShell's Get-WmiObject or sc qc to identify unquoted paths
- Deploy endpoint detection rules that alert on new executables created in the root of system drives
- Use SentinelOne's behavioral AI to detect privilege escalation attempts via service manipulation
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event IDs 7045, 4697)
- Monitor process creation events for unexpected SYSTEM-level processes originating from non-standard paths
- Implement file integrity monitoring on directories commonly targeted by unquoted path attacks
- Review service configurations periodically to ensure all paths containing spaces are properly quoted
How to Mitigate CVE-2021-47767
Immediate Actions Required
- Review and remediate the srvInventoryWebServer service path by adding proper quotation marks around the ImagePath value
- Audit all services on affected systems for similar unquoted path vulnerabilities
- Restrict write permissions on root directories and intermediate path locations to administrators only
- Consider disabling the affected service until a vendor patch is available
Patch Information
At the time of publication, no official vendor patch has been confirmed for this vulnerability. Organizations should contact 10-Strike Security Solutions directly to inquire about security updates. In the meantime, manual remediation of the service path is recommended.
Additional technical details and proof-of-concept information can be found at Exploit-DB #50494.
Workarounds
- Manually quote the service path in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvInventoryWebServer\ImagePath
- Use Group Policy to restrict write access to the C:\ root directory and C:\Program Files\ parent directories
- Deploy application whitelisting to prevent execution of unauthorized binaries in system directories
- Monitor and alert on any attempts to create executables in exploitation-prone paths
# Manual remediation using sc command (run as Administrator)
# First, query the current service configuration
sc qc srvInventoryWebServer
# Update the service path to include quotes
sc config srvInventoryWebServer binPath= "\"C:\Program Files\10-Strike\Network Inventory Explorer\srvInventoryWebServer.exe\""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
