CVE-2021-47809 Overview
CVE-2021-47809 is an unquoted service path vulnerability affecting Disk Sorter Enterprise 13.6.12. This Windows-based file management utility contains an improperly quoted service path in its Windows service configuration, allowing local attackers to potentially execute arbitrary code and escalate privileges on affected systems.
The vulnerability exists in the service executable path C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe. Because this path contains spaces and is not properly enclosed in quotation marks, Windows will attempt to locate and execute files in unintended locations, creating an opportunity for privilege escalation.
Critical Impact
Local attackers with write access to specific directories can place malicious executables that will be run with SYSTEM privileges when the Disk Sorter Enterprise service starts or restarts.
Affected Products
- Disk Sorter Enterprise 13.6.12
- Potentially other versions with the same unquoted service path configuration
Discovery Timeline
- 2026-01-16 - CVE-2021-47809 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47809
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with an executable path containing spaces that is not enclosed in quotation marks, the Windows Service Control Manager (SCM) parses the path in a predictable but exploitable manner.
For the path C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files\Disk.exe
- C:\Program Files\Disk Sorter\Enterprise\bin\disksrs.exe
An attacker who can place a malicious executable at any of these intermediate locations can achieve code execution with the privileges of the service account—typically SYSTEM.
Root Cause
The root cause is improper service installation configuration where the ImagePath registry value under HKLM\SYSTEM\CurrentControlSet\Services\disksrs (or similar) does not have the executable path enclosed in double quotes. This is a common oversight in Windows application installers that fail to properly escape paths containing spaces.
Attack Vector
This vulnerability requires local access to the target system. An attacker must have sufficient privileges to write files to one of the directories in the truncated path sequence. The most commonly exploitable location is C:\Program.exe if the root drive allows user writes, or potentially C:\Program Files\Disk.exe in misconfigured environments.
The attack scenario typically involves:
- An attacker gains initial access to a system running Disk Sorter Enterprise with a low-privileged account
- The attacker identifies the unquoted service path through service enumeration
- The attacker places a malicious executable (e.g., Disk.exe) in C:\Program Files\
- When the service restarts (system reboot, manual restart, or crash recovery), Windows executes the malicious binary with SYSTEM privileges
- The attacker achieves privilege escalation to SYSTEM level
For detailed technical analysis and proof-of-concept information, refer to the Exploit-DB #50014 advisory.
Detection Methods for CVE-2021-47809
Indicators of Compromise
- Unexpected executable files in C:\ root directory (e.g., Program.exe)
- Unexpected executable files in C:\Program Files\ with names like Disk.exe
- Unusual child processes spawned by the Disk Sorter Enterprise service
- Registry modifications to the Disk Sorter Enterprise service ImagePath value
Detection Strategies
- Enumerate all Windows services with unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -match '\s' } | Select-Object Name, PathName
- Monitor file creation events in C:\ and C:\Program Files\ for executables matching partial path names
- Implement file integrity monitoring on directories that could be exploited via unquoted service paths
- Use endpoint detection tools to alert on service-related privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing
- Configure alerts for new executable files created in system root directories
- Monitor service restart events (Event ID 7036) for the Disk Sorter Enterprise service
- Implement application whitelisting to prevent unauthorized executables from running in sensitive directories
How to Mitigate CVE-2021-47809
Immediate Actions Required
- Audit all installed services for unquoted paths using enumeration scripts
- Manually correct the service ImagePath by adding quotation marks around the executable path
- Restrict write permissions to C:\ and C:\Program Files\ directories to administrators only
- Review and harden file system permissions on all drives where services may be installed
Patch Information
Organizations should contact the vendor or check the Disk Sorter product page for updated versions that address this vulnerability. Additionally, refer to the VulnCheck Advisory on Disk Sorter for the latest remediation guidance.
Workarounds
- Manually fix the service path by modifying the registry to include quotes around the path
- Implement strict file system ACLs to prevent non-administrators from writing to exploitable directories
- Consider using application control solutions to prevent unauthorized executable execution
- Uninstall the vulnerable software if it is not business-critical until a patched version is available
# Registry fix to quote the service path (run as Administrator in PowerShell)
$serviceName = "disksrs"
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
$currentPath = (Get-ItemProperty -Path $regPath -Name ImagePath).ImagePath
$quotedPath = '"' + $currentPath + '"'
Set-ItemProperty -Path $regPath -Name ImagePath -Value $quotedPath
# Verify the change
Get-ItemProperty -Path $regPath -Name ImagePath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
