CVE-2021-47822 Overview
CVE-2021-47822 is an unquoted service path vulnerability affecting DiskBoss Service version 12.2.18. The vulnerability exists in the binary path configuration of the DiskBoss service, which lacks proper quotation marks around the executable path. This weakness allows local attackers with write access to specific directories to execute arbitrary code with elevated (SYSTEM) privileges when the service starts.
Unquoted service path vulnerabilities occur when Windows services are configured with paths containing spaces that are not enclosed in quotation marks. Windows interprets spaces in unquoted paths as delimiters, attempting to execute files at each potential path segment before the intended executable. Attackers can exploit this behavior by placing malicious executables in these intermediate path locations.
Critical Impact
Local privilege escalation to SYSTEM-level access, enabling complete system compromise and persistent unauthorized access.
Affected Products
- DiskBoss Service 12.2.18
- DiskBoss Enterprise (versions with unquoted service path)
- Earlier versions of DiskBoss Service may also be affected
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47822 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47822
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration that creates privilege escalation opportunities. The DiskBoss Service executable path is stored in the Windows registry without proper quotation marks, creating a parsing ambiguity that Windows resolves by attempting to execute files at multiple path locations.
When the service starts (typically at system boot or when manually triggered), Windows Service Control Manager processes the unquoted path sequentially. For example, if the service path is C:\Program Files\DiskBoss Enterprise\bin\diskbsa.exe, Windows will attempt to execute:
- C:\Program.exe
- C:\Program Files\DiskBoss.exe
- C:\Program Files\DiskBoss Enterprise\bin\diskbsa.exe
An attacker with write permissions to any of these intermediate locations can place a malicious executable that will be executed with the service's privileges—typically SYSTEM on Windows systems.
Root Cause
The root cause is improper configuration of the Windows service ImagePath registry value. The service path containing spaces (such as "Program Files") should be enclosed in quotation marks to prevent path interpretation ambiguity. The DiskBoss installer fails to properly quote this path during installation, leaving the service vulnerable to exploitation.
Attack Vector
This is a local attack vector requiring the attacker to have local access to the system with write permissions to one of the potential path locations. The attack requires:
- Local user access to the target system
- Write permissions to a directory in the potential execution path (e.g., C:\ or C:\Program Files\)
- Ability to restart the service or wait for system reboot
The attacker places a malicious executable named appropriately (e.g., Program.exe in C:\) and waits for the DiskBoss service to start. When the service initializes, Windows attempts to execute the malicious file with SYSTEM privileges before reaching the legitimate executable.
The exploitation technique involves identifying the unquoted path using tools like wmic service get name,displayname,pathname,startmode or PowerShell queries, then placing a payload in the appropriate location. Technical details and proof-of-concept information are available in the Exploit-DB #49899 entry.
Detection Methods for CVE-2021-47822
Indicators of Compromise
- Unexpected executables in root directories (e.g., C:\Program.exe, C:\Program Files\DiskBoss.exe)
- Unusual process spawning from DiskBoss service context
- SYSTEM-level processes initiated from non-standard executable locations
- Modified timestamps on files in C:\ or C:\Program Files\ directories
Detection Strategies
- Query Windows services for unquoted paths using wmic service get name,displayname,pathname,startmode | findstr /i /v """"
- Monitor file creation events in C:\ and C:\Program Files\ directories for suspicious executables
- Implement file integrity monitoring on potential path locations
- Use SentinelOne's behavioral detection to identify privilege escalation attempts via service exploitation
Monitoring Recommendations
- Enable Windows Security Event logging for service start events (Event ID 7035, 7036)
- Monitor process creation events (Event ID 4688) for SYSTEM processes spawned from unusual locations
- Configure alerts for new executable files created in system root directories
- Implement SentinelOne endpoint protection with behavioral AI to detect anomalous service behavior
How to Mitigate CVE-2021-47822
Immediate Actions Required
- Audit all installed Windows services for unquoted service paths
- Manually quote the DiskBoss service path in the registry
- Restrict write permissions on C:\ and C:\Program Files\ directories
- Update DiskBoss to the latest version if a patched release is available
Patch Information
Users should visit the DiskBoss Official Website to check for updated versions that address this vulnerability. Additionally, the VulnCheck Security Advisory provides detailed information about the vulnerability and remediation guidance.
As an immediate fix, administrators can manually correct the registry entry to properly quote the service path, preventing Windows from misinterpreting the path during service startup.
Workarounds
- Manually edit the registry key HKLM\SYSTEM\CurrentControlSet\Services\DiskBoss\ImagePath to include quotation marks around the full path
- Remove write permissions for non-administrative users on C:\ and intermediate path directories
- Consider using application whitelisting to prevent unauthorized executables from running
- Deploy SentinelOne endpoint protection to detect and block privilege escalation attempts
# Registry fix command (run as Administrator)
# First, query current path:
reg query "HKLM\SYSTEM\CurrentControlSet\Services\DiskBoss" /v ImagePath
# Then fix by adding quotes (adjust path as needed):
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DiskBoss" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\DiskBoss Enterprise\bin\diskbsa.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
