CVE-2021-47823 Overview
CVE-2021-47823 is an unquoted service path vulnerability affecting Acer ePowerSvc version 6.0.3008.0. This security flaw allows local users to potentially execute arbitrary code with elevated system privileges by exploiting an improperly quoted service path in the Windows service configuration. When the ePowerSvc service starts, Windows may execute a malicious binary placed in a strategic location along the service path, granting attackers LocalSystem permissions.
Critical Impact
Local attackers can achieve privilege escalation to LocalSystem, enabling complete system compromise, persistence mechanisms, and lateral movement within enterprise environments.
Affected Products
- Acer ePowerSvc version 6.0.3008.0
- Acer laptops and desktops with pre-installed ePowerSvc power management software
- Windows systems running the vulnerable Acer power management service
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47823 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47823
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a well-documented class of Windows privilege escalation flaws. The Acer ePowerSvc service executable path contains spaces and is not properly enclosed in quotation marks within the Windows service configuration. When Windows attempts to locate and execute the service binary, it parses the unquoted path sequentially, checking for executable files at each space-delimited segment.
For example, if the service path is C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe, Windows will attempt to execute binaries in the following order:
- C:\Program.exe
- C:\Program Files\Acer\Acer.exe
- C:\Program Files\Acer\Acer ePower.exe
- The intended executable
An attacker with write access to any of these intermediate locations can plant a malicious executable that will be executed with the service's privileges—in this case, LocalSystem.
Root Cause
The root cause is improper service registration during the Acer ePowerSvc installation process. The installer fails to enclose the service binary path in quotation marks when registering the service with the Windows Service Control Manager. This oversight creates an exploitable condition on systems where the service path contains spaces, which is standard for software installed under C:\Program Files\.
Attack Vector
This is a local attack vector requiring the adversary to have an authenticated session on the target system. The attacker must have write permissions to one of the intermediate path locations that Windows parses before reaching the legitimate service executable. In enterprise environments, this vulnerability is particularly concerning as it enables low-privileged domain users to escalate to LocalSystem on Acer workstations, potentially compromising domain credentials cached on the system.
The exploitation process involves:
- Identifying the unquoted service path via sc qc ePowerSvc or registry enumeration
- Placing a malicious executable (e.g., Acer.exe) in C:\Program Files\Acer\
- Waiting for or triggering a service restart, which occurs automatically at system boot
The vulnerability mechanism exploits how Windows parses unquoted paths containing spaces during service initialization. When the ePowerSvc service starts, the Service Control Manager processes the path segment by segment. An attacker with appropriate file system permissions can place a malicious binary at an intermediate path location (such as C:\Program Files\Acer\Acer.exe) that Windows will execute before reaching the legitimate service executable. For detailed technical analysis and proof-of-concept information, refer to Exploit-DB #49900 and the VulnCheck Advisory on ePowerSvc.
Detection Methods for CVE-2021-47823
Indicators of Compromise
- Presence of unexpected executables in C:\Program Files\Acer\ with names like Acer.exe or Acer ePower.exe
- Unusual process spawning from the ePowerSvc service context
- Suspicious child processes running under LocalSystem that originate from the Acer installation directory
- File creation events in intermediate path locations coinciding with service restart attempts
Detection Strategies
- Enumerate unquoted service paths using PowerShell or WMI queries to identify vulnerable services: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }
- Monitor for file creation events in C:\Program Files\Acer\ for executables not signed by Acer Inc.
- Implement application whitelisting to prevent unauthorized executables from running in the Acer installation directory
- Deploy endpoint detection rules that alert on process execution from service paths where the executing binary differs from the registered service executable
Monitoring Recommendations
- Enable Windows Security Event logging for service start events (Event ID 7045) and correlate with process creation logs
- Configure SentinelOne to monitor for unquoted service path exploitation attempts and unauthorized privilege escalation
- Implement file integrity monitoring on the C:\Program Files\Acer\ directory to detect rogue executable placement
- Review service configurations periodically using automated vulnerability scanning tools
How to Mitigate CVE-2021-47823
Immediate Actions Required
- Audit all Acer systems for the presence of ePowerSvc version 6.0.3008.0 and prioritize remediation
- Manually correct the service path by enclosing it in quotation marks via the Windows Registry or sc config command
- Restrict write permissions on the C:\Program Files\Acer\ directory to administrative users only
- Consider disabling the ePowerSvc service if power management functionality is not required
Patch Information
No official patch information is available from Acer at this time. Administrators should check the Acer Official Website for updated drivers and software that may address this vulnerability. The VulnCheck Advisory on ePowerSvc provides additional remediation guidance.
Workarounds
- Use the Windows sc config command to manually quote the service path: sc config ePowerSvc binPath= "\"C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe\""
- Modify the registry directly at HKLM\SYSTEM\CurrentControlSet\Services\ePowerSvc to add quotation marks around the ImagePath value
- Remove write permissions for non-administrative users from intermediate path locations
- Uninstall ePowerSvc if the power management features are not essential for business operations
# Configuration example - Correcting the unquoted service path
sc config ePowerSvc binPath= "\"C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe\""
# Verify the fix was applied
sc qc ePowerSvc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
