CVE-2021-47806 Overview
CVE-2021-47806 is an unquoted service path vulnerability affecting Dup Scout 13.5.28, a Windows-based duplicate file detection application. The vulnerability exists in the Windows service configuration where the service executable path C:\Program Files\Dup Scout Server\bin\dupscts.exe is not properly quoted. This misconfiguration allows local attackers with limited privileges to potentially execute arbitrary code and escalate their privileges on the affected system.
Unquoted service path vulnerabilities (CWE-428) occur when Windows services are configured with paths containing spaces that are not enclosed in quotation marks. Windows attempts to parse such paths by testing various combinations, creating opportunities for attackers to place malicious executables in strategic locations that Windows will execute instead of the intended service binary.
Critical Impact
Local attackers can exploit this vulnerability to achieve privilege escalation by placing malicious executables in paths that Windows will execute before the legitimate service binary, potentially gaining SYSTEM-level access.
Affected Products
- Dup Scout 13.5.28
- Dup Scout Server component with dupscts.exe service
- Windows installations with vulnerable service configurations
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47806 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47806
Vulnerability Analysis
The vulnerability stems from improper service configuration in Dup Scout 13.5.28. When a Windows service is registered with an unquoted path containing spaces, such as C:\Program Files\Dup Scout Server\bin\dupscts.exe, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path iteratively.
Windows interprets spaces as argument delimiters, causing it to attempt execution in the following order:
- C:\Program.exe
- C:\Program Files\Dup.exe
- C:\Program Files\Dup Scout.exe
- C:\Program Files\Dup Scout Server\bin\dupscts.exe
An attacker with write access to C:\ or C:\Program Files\ directories can place a malicious executable named Program.exe or Dup.exe that will be executed with the privileges of the service (often SYSTEM) before the legitimate service binary is found.
Root Cause
The root cause of CVE-2021-47806 is the failure to properly quote the service executable path during the installation and registration of the Dup Scout Server service. When registering Windows services, paths containing spaces must be enclosed in double quotation marks to prevent Windows from misinterpreting the path structure.
The service should be registered as:
"C:\Program Files\Dup Scout Server\bin\dupscts.exe"
Instead, it was registered as:
C:\Program Files\Dup Scout Server\bin\dupscts.exe
This configuration oversight creates a local privilege escalation vector that persists across system reboots and service restarts.
Attack Vector
This is a local attack vector requiring the attacker to have local access to the vulnerable Windows system. The attack requires write permissions to one of the directories that Windows will attempt to access during path resolution. While standard users typically cannot write to C:\Program Files\, misconfigurations, additional vulnerabilities, or access to C:\ directly could enable exploitation.
The attack is executed by:
- Identifying the unquoted service path using tools like wmic service get name,displayname,pathname,startmode or PowerShell queries
- Placing a malicious executable (e.g., Dup.exe) in C:\Program Files\
- Waiting for the service to restart or forcing a restart if possible
- The malicious code executes with the service's privileges (typically SYSTEM)
For detailed technical information and proof-of-concept references, see the Exploit-DB #50025 advisory and the VulnCheck Advisory on DupScout.
Detection Methods for CVE-2021-47806
Indicators of Compromise
- Unexpected executables named Program.exe, Dup.exe, or Dup Scout.exe in C:\ or C:\Program Files\ directories
- New or modified executable files in system root or Program Files with timestamps coinciding with suspicious activity
- Unusual service behavior or unexpected processes spawning from service accounts
- Windows Event Log entries showing service startup failures followed by successful starts
Detection Strategies
- Deploy endpoint detection rules to monitor for executable creation in C:\ and C:\Program Files\ root directories with names matching common unquoted path exploitation patterns
- Use PowerShell or WMIC queries to audit all services for unquoted paths: Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' }
- Implement file integrity monitoring on directories commonly targeted by unquoted service path attacks
- Configure SentinelOne to detect privilege escalation attempts through service manipulation
Monitoring Recommendations
- Enable Windows Security Event Log auditing for process creation (Event ID 4688) with command line logging to track service-related process spawns
- Monitor for new file creation events in C:\, C:\Program, and C:\Program Files\ directories with executable extensions
- Set up alerts for service configuration changes using Windows Event ID 7040 and 7045
How to Mitigate CVE-2021-47806
Immediate Actions Required
- Query all Windows services to identify unquoted paths using wmic service get name,displayname,pathname,startmode | findstr /i /v """ and remediate findings
- Restrict write permissions on C:\ and C:\Program Files\ directories to administrators only, verifying no misconfigurations exist
- Consider uninstalling Dup Scout 13.5.28 until a patched version is available or apply manual registry fixes
- Implement application whitelisting to prevent execution of unauthorized executables in system directories
Patch Information
Check the DupScout Security Overview for updated versions that address this vulnerability. Users should upgrade to the latest available version of Dup Scout that includes a properly quoted service path configuration. Until a vendor patch is available, manual remediation of the service path in the Windows registry is recommended.
Workarounds
- Manually fix the service path by modifying the Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\dupscts to include quotation marks around the ImagePath value
- Use Group Policy or security tools to enforce strict permissions on directories vulnerable to unquoted path exploitation
- Implement SentinelOne Singularity to detect and block privilege escalation attempts through malicious executable placement
# Configuration example - Fix unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\dupscts" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Dup Scout Server\bin\dupscts.exe\"" /f
# Verify the fix was applied correctly
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dupscts" /v ImagePath
# PowerShell alternative to identify and verify service paths
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dupscts" | Select-Object ImagePath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
