CVE-2021-47792 Overview
Remote Mouse 4.002 contains an unquoted service path vulnerability (CWE-428) that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access to the affected system.
Critical Impact
Local attackers with low privileges can escalate to SYSTEM-level access by placing malicious executables in paths that Windows interprets before the legitimate service binary due to the unquoted service path.
Affected Products
- Remote Mouse version 4.002
- RemoteMouseService Windows component
- Systems running Remote Mouse with default installation paths containing spaces
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47792 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47792
Vulnerability Analysis
This vulnerability is classified as an Unquoted Service Path issue (CWE-428), a common Windows privilege escalation vector. When Windows services are installed with executable paths containing spaces and those paths are not enclosed in quotation marks, the Windows Service Control Manager (SCM) becomes susceptible to path interpretation attacks.
When the RemoteMouseService starts, Windows attempts to resolve the unquoted path by testing various path combinations. For example, if the service binary is located at C:\Program Files\Remote Mouse\RemoteMouseService.exe, Windows will first check for C:\Program.exe, then C:\Program Files\Remote.exe, before finally finding the legitimate executable. An attacker with write access to any of these intermediate paths can place a malicious executable that Windows will execute with the service's privileges—typically SYSTEM.
Root Cause
The root cause is improper quoting of the service executable path during the installation of Remote Mouse 4.002. The Windows registry entry for the RemoteMouseService stores the binary path without surrounding quotation marks. This configuration oversight allows the Windows path resolution mechanism to be abused when the installation path contains spaces, which is the default behavior when installed under C:\Program Files\.
Attack Vector
This is a local attack vector requiring authenticated access to the target system. The attacker must have sufficient privileges to write an executable file to one of the intermediate path locations that Windows checks during service path resolution. The attack sequence involves:
- Identifying the unquoted service path in the Windows registry
- Creating a malicious executable (e.g., Remote.exe) in a writable parent directory
- Triggering a service restart or system reboot to execute the malicious payload with SYSTEM privileges
The vulnerability does not require user interaction once the attacker has local access, and the attack complexity is low due to the predictable nature of Windows path resolution behavior.
Detection Methods for CVE-2021-47792
Indicators of Compromise
- Unexpected executable files named Remote.exe or Program.exe appearing in the root of C:\ or C:\Program Files\ directories
- Unusual service start failures or delays for RemoteMouseService
- Process execution events showing SYSTEM-level processes spawned from unexpected paths
- Registry modifications to the RemoteMouseService ImagePath value
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -like '* *' -and $_.PathName -notlike '"*'}
- Monitor file creation events in C:\ and C:\Program Files\ directories for suspicious executables
- Implement application whitelisting to prevent unauthorized binaries from executing
- Use endpoint detection and response (EDR) solutions to identify privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for service control manager events (Event IDs 7000, 7009, 7045)
- Configure file integrity monitoring on directories in the path resolution chain
- Alert on unexpected SYSTEM-level process creation from non-standard locations
- Regularly audit Windows services for unquoted path configurations using automated vulnerability scanners
How to Mitigate CVE-2021-47792
Immediate Actions Required
- Review the RemoteMouseService registry entry and manually add quotation marks around the ImagePath value
- Restrict write permissions on intermediate path directories to administrators only
- Consider temporarily disabling the RemoteMouseService until a patch can be applied
- Audit all Windows services for similar unquoted path vulnerabilities
Patch Information
Check the RemoteMouse Official Site for updated versions that address this vulnerability. The vendor should provide an updated installer that properly quotes the service executable path during installation.
For additional technical details about this vulnerability, refer to the VulnCheck Advisory: Remote Mouse and Exploit-DB #50258.
Workarounds
- Manually correct the service path by adding quotation marks via the Windows Registry Editor at HKLM\SYSTEM\CurrentControlSet\Services\RemoteMouseService
- Install Remote Mouse to a directory path without spaces to eliminate the path resolution vulnerability
- Implement strict file system permissions to prevent non-administrative users from writing to C:\Program Files\ or other intermediate path locations
- Deploy application control policies to block execution of unsigned executables from vulnerable path locations
# PowerShell command to fix unquoted service path
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RemoteMouseService" -Name "ImagePath" -Value '"C:\Program Files\Remote Mouse\RemoteMouseService.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
