CVE-2021-47804 Overview
CVE-2021-47804 is an unquoted service path vulnerability affecting Wise Care 365 version 5.6.7.568. The WiseBootAssistant service, which runs with LocalSystem privileges, contains an unquoted service path that allows local attackers to escalate their privileges. By placing a malicious executable in a specific location within the service path, an attacker can achieve code execution with SYSTEM-level privileges when the service restarts.
Critical Impact
Local privilege escalation to SYSTEM privileges through unquoted service path exploitation in the WiseBootAssistant service.
Affected Products
- Wise Care 365 version 5.6.7.568
- WiseBootAssistant service component
Discovery Timeline
- 2026-01-16 - CVE-2021-47804 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47804
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a classic Windows privilege escalation technique. When a Windows service executable path contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path at each space character. This behavior creates an opportunity for attackers with local access to plant malicious executables that will be executed with the service's elevated privileges.
The WiseBootAssistant service runs with LocalSystem privileges, which is the highest privilege level on a Windows system. This makes the vulnerability particularly dangerous, as successful exploitation grants the attacker complete control over the affected system.
Root Cause
The root cause of this vulnerability is the improper configuration of the WiseBootAssistant service during installation. The service path was registered in the Windows registry without enclosing quotation marks, despite containing directory names with spaces (such as Program Files). This is a common oversight in software packaging that fails to follow Windows service configuration best practices.
Attack Vector
The attack requires local access to the system and the ability to write files to directories within the service path. An attacker would identify the unquoted path and determine which intermediate directory locations are writable. They would then place a malicious executable (typically named to match the first portion of a space-separated path segment, such as Program.exe) in the writable location.
When the WiseBootAssistant service restarts—either through a system reboot, manual service restart, or service crash recovery—Windows will execute the attacker's malicious payload with LocalSystem privileges instead of the legitimate service executable.
For detailed technical information and proof-of-concept details, refer to the Exploit-DB entry #50038 and the VulnCheck Advisory.
Detection Methods for CVE-2021-47804
Indicators of Compromise
- Unexpected executables in C:\ root directory or C:\Program Files\ subdirectories with names like Program.exe, Wise.exe, or similar truncated names
- Modified timestamps on files in service path directories that don't correspond to legitimate software updates
- New or unexpected processes running with SYSTEM privileges after service restart events
Detection Strategies
- Query Windows services for unquoted paths containing spaces using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' }
- Monitor file creation events in high-risk directories such as C:\, C:\Program.exe, and subdirectories of C:\Program Files\
- Implement application whitelisting to prevent unauthorized executables from running with elevated privileges
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event ID 7045)
- Configure file integrity monitoring on common unquoted service path exploitation directories
- Monitor for process execution anomalies where unexpected executables spawn from service paths
- Deploy endpoint detection and response (EDR) solutions capable of detecting privilege escalation patterns
How to Mitigate CVE-2021-47804
Immediate Actions Required
- Audit the WiseBootAssistant service path and manually add quotation marks around the executable path in the registry
- Check for unauthorized executables in directories along the service path and remove any suspicious files
- Update Wise Care 365 to the latest version from the official WiseCleaner website
- Restrict write permissions on directories within the service path to administrators only
Patch Information
Users should upgrade Wise Care 365 to a patched version that properly quotes the service path. Check the WiseCleaner Product Page for the latest release information and security updates.
Workarounds
- Manually fix the registry entry by adding quotation marks around the service ImagePath value for WiseBootAssistant
- Restrict local user write permissions to the C:\ root and C:\Program Files\ directory trees
- Implement application control policies to prevent execution of unsigned or unexpected executables
- Consider temporarily disabling the WiseBootAssistant service if it is not critical to operations until a patch is applied
# Fix unquoted service path via registry (run as Administrator)
# First, query the current path:
reg query "HKLM\SYSTEM\CurrentControlSet\Services\WiseBootAssistant" /v ImagePath
# Then update with quoted path (adjust path as needed):
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WiseBootAssistant" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Wise\Wise Care 365\WiseBootAssistant.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
