CVE-2021-47847 Overview
Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability (CWE-428) in its binary path configuration that allows local attackers to potentially execute arbitrary code. The vulnerability exists in the service executable path C:\Program Files\Disk Sorter Server\bin\disksrs.exe, which lacks proper quoting. This enables attackers with local access to inject malicious executables at predictable locations in the path and escalate privileges when the service is started or restarted.
Critical Impact
Local attackers can exploit the unquoted service path to achieve privilege escalation by placing malicious executables at strategic filesystem locations, potentially gaining SYSTEM-level access on affected Windows systems.
Affected Products
- Disk Sorter Server version 13.6.12
- Windows installations with Disk Sorter Server service configured with unquoted paths
- Systems where low-privileged users have write access to parent directories in the service path
Discovery Timeline
- 2026-01-16 - CVE CVE-2021-47847 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47847
Vulnerability Analysis
This vulnerability stems from improper handling of the Windows service executable path during installation. When Windows services are configured with paths containing spaces that are not enclosed in quotation marks, the operating system's path resolution mechanism becomes exploitable. Windows attempts to resolve the path by testing potential executable locations at each space boundary before reaching the intended target.
In this case, the service path C:\Program Files\Disk Sorter Server\bin\disksrs.exe is stored without quotes, causing Windows to sequentially attempt execution of C:\Program.exe, then C:\Program Files\Disk.exe, then C:\Program Files\Disk Sorter\Server.exe before finally finding the legitimate executable. An attacker who can write to any of these intermediate paths can hijack the service execution flow.
The vulnerability enables local privilege escalation because the Disk Sorter Server service typically runs under elevated privileges (often SYSTEM). When an attacker places a malicious executable at one of the ambiguous path locations and the service restarts, Windows executes the attacker's payload with the service's elevated privileges instead of the legitimate disksrs.exe.
Root Cause
The root cause of CVE-2021-47847 is the failure to properly quote the service binary path during installation. The Windows Service Control Manager (SCM) stores the ImagePath registry value without enclosing quotation marks, triggering the path resolution ambiguity. This is classified under CWE-428 (Unquoted Search Path or Element), a common Windows-specific vulnerability pattern that occurs when installers do not properly escape paths containing whitespace characters.
Attack Vector
The attack vector requires local access to the target system. An attacker with a low-privileged user account needs write permissions to one of the parent directories in the unquoted service path. Common exploitation scenarios include:
The attacker identifies the unquoted service path using commands like wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" or by querying the Windows Registry directly.
The attacker then creates a malicious executable named Program.exe in C:\ or Disk.exe in C:\Program Files\ (if write permissions exist). When the Disk Sorter Server service restarts—either through a system reboot, manual restart, or triggered crash—Windows executes the malicious payload with the service's elevated privileges.
For detailed exploitation techniques, refer to the Exploit-DB #50013 entry and the VulnCheck Advisory on DiskSorter.
Detection Methods for CVE-2021-47847
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Disk.exe, or Server.exe in parent directories of the service path
- Suspicious executable files in C:\, C:\Program Files\, or C:\Program Files\Disk Sorter\ directories
- Unrecognized processes spawned as child processes of the Disk Sorter Server service
- Unusual network connections or file system activity originating from the service context
Detection Strategies
- Query the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc to verify if the ImagePath value contains unquoted paths with spaces
- Use Windows command sc qc "Disk Sorter Server" to display service configuration and identify unquoted binary paths
- Deploy endpoint detection rules to alert on executable creation in root directories (C:\) or C:\Program Files\ outside normal software installation patterns
- Monitor for service binary path modifications through Windows Event ID 7045 (new service installed) and compare against known-good baselines
Monitoring Recommendations
- Enable file integrity monitoring (FIM) on directories such as C:\, C:\Program Files\, and C:\Program Files\Disk Sorter\ to detect unauthorized executable placement
- Configure SentinelOne behavioral AI to detect privilege escalation attempts via service hijacking patterns
- Implement alerting on process execution anomalies where the Disk Sorter Server service spawns unexpected child processes
- Audit service account permissions and monitor for lateral movement following potential exploitation
How to Mitigate CVE-2021-47847
Immediate Actions Required
- Manually correct the service path by adding quotation marks around the executable path in the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc\ImagePath
- Audit all installed Windows services for similar unquoted path vulnerabilities using PowerShell or WMIC queries
- Restrict write permissions on C:\, C:\Program Files\, and intermediate directories to administrators only
- Consider temporarily disabling the Disk Sorter Server service if not critical to business operations until remediation is complete
Patch Information
Contact the Disk Sorter vendor for an updated installer that properly quotes the service path during installation. Monitor the official DiskSorter website for security updates and patched versions. The VulnCheck Advisory may contain additional remediation guidance as it becomes available.
Workarounds
- Manually modify the registry value to include quotes: change the ImagePath value from C:\Program Files\Disk Sorter Server\bin\disksrs.exe to "C:\Program Files\Disk Sorter Server\bin\disksrs.exe"
- Relocate the Disk Sorter Server installation to a path without spaces (e.g., C:\DiskSorter\) to eliminate the path ambiguity
- Implement application whitelisting policies to prevent execution of unauthorized binaries from system directories
- Deploy SentinelOne's real-time protection to block malicious payload execution even if path hijacking is attempted
# Registry fix command (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DiskSorterSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Disk Sorter Server\bin\disksrs.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
