Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-47847

CVE-2021-47847: Disk Sorter Server Privilege Escalation

CVE-2021-47847 is an unquoted service path vulnerability in Disk Sorter Server 13.6.12 that enables local attackers to execute arbitrary code and escalate privileges. This article covers technical details, impact, and mitigation.

Published:

CVE-2021-47847 Overview

Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability (CWE-428) in its binary path configuration that allows local attackers to potentially execute arbitrary code. The vulnerability exists in the service executable path C:\Program Files\Disk Sorter Server\bin\disksrs.exe, which lacks proper quoting. This enables attackers with local access to inject malicious executables at predictable locations in the path and escalate privileges when the service is started or restarted.

Critical Impact

Local attackers can exploit the unquoted service path to achieve privilege escalation by placing malicious executables at strategic filesystem locations, potentially gaining SYSTEM-level access on affected Windows systems.

Affected Products

  • Disk Sorter Server version 13.6.12
  • Windows installations with Disk Sorter Server service configured with unquoted paths
  • Systems where low-privileged users have write access to parent directories in the service path

Discovery Timeline

  • 2026-01-16 - CVE CVE-2021-47847 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2021-47847

Vulnerability Analysis

This vulnerability stems from improper handling of the Windows service executable path during installation. When Windows services are configured with paths containing spaces that are not enclosed in quotation marks, the operating system's path resolution mechanism becomes exploitable. Windows attempts to resolve the path by testing potential executable locations at each space boundary before reaching the intended target.

In this case, the service path C:\Program Files\Disk Sorter Server\bin\disksrs.exe is stored without quotes, causing Windows to sequentially attempt execution of C:\Program.exe, then C:\Program Files\Disk.exe, then C:\Program Files\Disk Sorter\Server.exe before finally finding the legitimate executable. An attacker who can write to any of these intermediate paths can hijack the service execution flow.

The vulnerability enables local privilege escalation because the Disk Sorter Server service typically runs under elevated privileges (often SYSTEM). When an attacker places a malicious executable at one of the ambiguous path locations and the service restarts, Windows executes the attacker's payload with the service's elevated privileges instead of the legitimate disksrs.exe.

Root Cause

The root cause of CVE-2021-47847 is the failure to properly quote the service binary path during installation. The Windows Service Control Manager (SCM) stores the ImagePath registry value without enclosing quotation marks, triggering the path resolution ambiguity. This is classified under CWE-428 (Unquoted Search Path or Element), a common Windows-specific vulnerability pattern that occurs when installers do not properly escape paths containing whitespace characters.

Attack Vector

The attack vector requires local access to the target system. An attacker with a low-privileged user account needs write permissions to one of the parent directories in the unquoted service path. Common exploitation scenarios include:

The attacker identifies the unquoted service path using commands like wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" or by querying the Windows Registry directly.

The attacker then creates a malicious executable named Program.exe in C:\ or Disk.exe in C:\Program Files\ (if write permissions exist). When the Disk Sorter Server service restarts—either through a system reboot, manual restart, or triggered crash—Windows executes the malicious payload with the service's elevated privileges.

For detailed exploitation techniques, refer to the Exploit-DB #50013 entry and the VulnCheck Advisory on DiskSorter.

Detection Methods for CVE-2021-47847

Indicators of Compromise

  • Presence of unexpected executables named Program.exe, Disk.exe, or Server.exe in parent directories of the service path
  • Suspicious executable files in C:\, C:\Program Files\, or C:\Program Files\Disk Sorter\ directories
  • Unrecognized processes spawned as child processes of the Disk Sorter Server service
  • Unusual network connections or file system activity originating from the service context

Detection Strategies

  • Query the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc to verify if the ImagePath value contains unquoted paths with spaces
  • Use Windows command sc qc "Disk Sorter Server" to display service configuration and identify unquoted binary paths
  • Deploy endpoint detection rules to alert on executable creation in root directories (C:\) or C:\Program Files\ outside normal software installation patterns
  • Monitor for service binary path modifications through Windows Event ID 7045 (new service installed) and compare against known-good baselines

Monitoring Recommendations

  • Enable file integrity monitoring (FIM) on directories such as C:\, C:\Program Files\, and C:\Program Files\Disk Sorter\ to detect unauthorized executable placement
  • Configure SentinelOne behavioral AI to detect privilege escalation attempts via service hijacking patterns
  • Implement alerting on process execution anomalies where the Disk Sorter Server service spawns unexpected child processes
  • Audit service account permissions and monitor for lateral movement following potential exploitation

How to Mitigate CVE-2021-47847

Immediate Actions Required

  • Manually correct the service path by adding quotation marks around the executable path in the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc\ImagePath
  • Audit all installed Windows services for similar unquoted path vulnerabilities using PowerShell or WMIC queries
  • Restrict write permissions on C:\, C:\Program Files\, and intermediate directories to administrators only
  • Consider temporarily disabling the Disk Sorter Server service if not critical to business operations until remediation is complete

Patch Information

Contact the Disk Sorter vendor for an updated installer that properly quotes the service path during installation. Monitor the official DiskSorter website for security updates and patched versions. The VulnCheck Advisory may contain additional remediation guidance as it becomes available.

Workarounds

  • Manually modify the registry value to include quotes: change the ImagePath value from C:\Program Files\Disk Sorter Server\bin\disksrs.exe to "C:\Program Files\Disk Sorter Server\bin\disksrs.exe"
  • Relocate the Disk Sorter Server installation to a path without spaces (e.g., C:\DiskSorter\) to eliminate the path ambiguity
  • Implement application whitelisting policies to prevent execution of unauthorized binaries from system directories
  • Deploy SentinelOne's real-time protection to block malicious payload execution even if path hijacking is attempted
bash
# Registry fix command (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Disk Sorter Server\bin\disksrs.exe\"" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne