CVE-2021-47845 Overview
CVE-2021-47845 is an unquoted service path vulnerability affecting Spy Emergency 25.0.650, a Windows-based anti-spyware security application. The vulnerability exists in the Windows service configurations for SpyEmergencyHealth.exe and SpyEmergencySrv.exe, where file paths containing spaces are not properly enclosed in quotation marks. This configuration flaw allows local attackers with limited privileges to execute arbitrary code with elevated (SYSTEM) privileges by placing a malicious executable in a strategic location along the unquoted path.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level access by exploiting unquoted service paths, potentially compromising the entire Windows system.
Affected Products
- Spy Emergency 25.0.650
- SpyEmergencyHealth.exe service component
- SpyEmergencySrv.exe service component
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47845 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47845
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows privilege escalation vector. When a Windows service is configured with a path that contains spaces but is not enclosed in quotation marks, the Windows Service Control Manager (SCM) interprets the path ambiguously during service startup.
For example, if a service path is configured as C:\Program Files\Spy Emergency\SpyEmergencySrv.exe, Windows will attempt to execute files in the following order:
- C:\Program.exe
- C:\Program Files\Spy.exe
- C:\Program Files\Spy Emergency\SpyEmergencySrv.exe
An attacker with write access to C:\ or C:\Program Files\ can place a malicious executable named Program.exe or Spy.exe respectively, which would be executed with SYSTEM privileges when the service starts or restarts.
Root Cause
The root cause is improper service registration during Spy Emergency 25.0.650 installation. The installer fails to enclose service binary paths in quotation marks when registering the SpyEmergencyHealth.exe and SpyEmergencySrv.exe services with the Windows Service Control Manager. This oversight creates an exploitable condition where the path parsing behavior of Windows can be abused for privilege escalation.
Attack Vector
The attack requires local access to the target system and the ability to write files to directories along the unquoted service path. A low-privileged user can exploit this vulnerability by:
- Identifying the unquoted service path using tools like wmic service get name,displayname,pathname,startmode
- Determining which intermediate directories are writable
- Placing a malicious payload executable at a location that Windows will attempt to execute before the legitimate service binary
- Waiting for or triggering a service restart (e.g., system reboot)
- Gaining code execution with SYSTEM privileges when the malicious binary is executed
The vulnerability can be discovered by querying the Windows service configuration. Detailed exploitation techniques are documented in the Exploit-DB #49997 advisory.
Detection Methods for CVE-2021-47845
Indicators of Compromise
- Unexpected executable files in root directories such as C:\Program.exe or C:\Spy.exe
- Suspicious processes spawned as children of service host processes with unusual binary paths
- Modified or newly created executables in C:\Program Files\ with names matching path components
Detection Strategies
- Query Windows services for unquoted paths containing spaces using wmic service get name,pathname,startmode | findstr /i "C:\Program"
- Monitor file creation events in directories along the vulnerable service paths
- Implement application whitelisting to prevent unauthorized executables from running in protected directories
- Use SentinelOne's behavioral AI to detect privilege escalation attempts via service manipulation
Monitoring Recommendations
- Enable Windows Security Event logging for service configuration changes (Event ID 4697)
- Monitor process creation events for executables running from unexpected locations with SYSTEM privileges
- Configure alerts for new file creation in root and Program Files directories
- Deploy endpoint detection and response (EDR) solutions to identify suspicious service-related activity
How to Mitigate CVE-2021-47845
Immediate Actions Required
- Audit all installed Spy Emergency services for unquoted path configurations
- Manually correct the service path by adding quotation marks around the ImagePath registry value
- Restrict write permissions on directories along the service path (e.g., C:\ and C:\Program Files\)
- Consider uninstalling Spy Emergency until an official patch is available
Patch Information
No official vendor patch has been documented in the available CVE data. Users should check the Spy Emergency Homepage for updated versions that address this vulnerability. The VulnCheck Advisory on Spy Emergency provides additional guidance on remediation steps.
Workarounds
- Manually fix the unquoted service path by modifying the Windows registry ImagePath value to include quotation marks
- Use sc config command to reconfigure the service with a properly quoted path
- Implement strict ACLs on directories that could be used for payload placement
- Deploy application control policies to prevent unauthorized executable execution
# Configuration example
# Fix unquoted service path using sc command (run as Administrator)
sc config "SpyEmergencySrv" binPath= "\"C:\Program Files\Spy Emergency\SpyEmergencySrv.exe\""
# Alternatively, use reg command to modify the registry directly
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SpyEmergencySrv" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Spy Emergency\SpyEmergencySrv.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
