CVE-2021-47787 Overview
CVE-2021-47787 is an unquoted service path vulnerability affecting TotalAV 5.15.69, a popular antivirus solution. The vulnerability exists in multiple system services that run with LocalSystem privileges, where the service executable paths are not properly enclosed in quotation marks. This configuration flaw allows local attackers to place malicious executables in specific path segments to potentially achieve SYSTEM-level access on affected Windows systems.
Critical Impact
Local attackers with low-level access can exploit improperly quoted service paths to escalate privileges to SYSTEM level, potentially gaining complete control over the affected host.
Affected Products
- TotalAV 5.15.69
- TotalAV system services running with LocalSystem privileges
- Windows systems with TotalAV installed in paths containing spaces
Discovery Timeline
- 2026-01-16 - CVE-2021-47787 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47787
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a well-known Windows privilege escalation technique. When Windows services are configured with executable paths that contain spaces but are not enclosed in quotation marks, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path sequentially at each space character.
For example, if a service path is configured as C:\Program Files\TotalAV\antivirus.exe, Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files\TotalAV\antivirus.exe
This parsing behavior creates an opportunity for attackers to place a malicious executable (e.g., Program.exe) in the C:\ directory. When the vulnerable service starts or restarts, the malicious executable runs with the service's privileges—in this case, LocalSystem, which is the highest privilege level on Windows.
Root Cause
The root cause of this vulnerability is improper service registration during TotalAV installation. The installer fails to enclose service binary paths in quotation marks when registering services with the Windows Service Control Manager. Multiple TotalAV services are affected, all running under the LocalSystem account, which provides attackers with maximum privilege escalation potential upon successful exploitation.
Attack Vector
Exploitation requires local access to the target system with sufficient permissions to write files to directories in the unquoted path segments (typically C:\ or C:\Program Files\). An attacker must:
- Identify the vulnerable unquoted service path in the Windows registry
- Determine which path segments are writable
- Place a malicious executable at the appropriate location
- Wait for or trigger a service restart
The attack is classified as a local attack vector requiring low privileges and no user interaction, making it suitable for post-exploitation privilege escalation scenarios.
Detection Methods for CVE-2021-47787
Indicators of Compromise
- Presence of unexpected executables in C:\ root directory, particularly Program.exe, TotalAV.exe, or similarly named files
- Unusual service startup failures or unexpected process creation events associated with TotalAV services
- Registry modifications to TotalAV service configuration entries under HKLM\SYSTEM\CurrentControlSet\Services
- Process execution anomalies where TotalAV-related service processes spawn unexpected child processes
Detection Strategies
- Monitor for new executable file creation in C:\ and other common unquoted path target directories using file integrity monitoring
- Implement Windows Event Log monitoring for Service Control Manager events (Event ID 7000, 7009) indicating service startup issues
- Deploy endpoint detection rules to alert on process execution from unexpected paths when parent process is services.exe
- Query the Windows registry for unquoted ImagePath values in service configurations using PowerShell or WMIC
Monitoring Recommendations
- Enable detailed process creation auditing (Event ID 4688) with command line logging on Windows endpoints
- Configure SentinelOne agents to monitor for privilege escalation patterns associated with unquoted service path exploitation
- Establish baseline behavior for TotalAV service processes and alert on deviations
- Implement file system monitoring for write operations to high-risk directories that commonly appear in unquoted paths
How to Mitigate CVE-2021-47787
Immediate Actions Required
- Audit all TotalAV service entries in the Windows registry to identify unquoted paths under HKLM\SYSTEM\CurrentControlSet\Services
- Manually quote affected service paths by editing the ImagePath registry value to enclose the full path in double quotes
- Restrict write permissions on directories that could be exploited (such as C:\ and C:\Program Files\)
- Check for the existence of suspicious executables in path segment locations and remove any unauthorized files
Patch Information
Users should visit the TotalAV official website to check for updated versions that address this vulnerability. Additional technical details are available in the VulnCheck Advisory and Exploit-DB #50314.
Workarounds
- Manually add quotation marks to affected service ImagePath values in the Windows registry
- Use access control lists (ACLs) to prevent non-administrative users from writing to C:\ and other exploitable path directories
- Consider running TotalAV services under a less privileged account if the functionality permits
- Deploy endpoint protection solutions like SentinelOne that can detect and prevent unquoted service path exploitation attempts
# Check for unquoted service paths in TotalAV services
Get-WmiObject Win32_Service | Where-Object { $_.PathName -like "*TotalAV*" -and $_.PathName -notmatch '^"' -and $_.PathName -match '\s' } | Select-Object Name, PathName, StartMode
# Fix unquoted service path (run as Administrator)
# Replace SERVICE_NAME with the actual TotalAV service name
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SERVICE_NAME" -Name ImagePath -Value '"C:\Program Files\TotalAV\service.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
