CVE-2021-47859 Overview
CVE-2021-47859 is an unquoted service path vulnerability affecting ActivIdentity 8.2, specifically in the ac.sharedstore service. This flaw allows local attackers to potentially execute arbitrary code by exploiting the unquoted binary path located at C:\Program Files\Common Files\ActivIdentity\. An attacker with local access can inject malicious executables into the path and escalate privileges when the service starts or restarts.
Critical Impact
Local attackers can achieve privilege escalation by placing a malicious executable in the unquoted service path, potentially gaining SYSTEM-level access on affected systems.
Affected Products
- ActivIdentity 8.2
- HID Global ActivIdentity ac.sharedstore service
- Systems with ActivIdentity software installed with default service configurations
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47859 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47859
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a class of vulnerabilities that occurs when a service executable path containing spaces is not properly enclosed in quotation marks in the Windows registry. When Windows attempts to start a service with an unquoted path like C:\Program Files\Common Files\ActivIdentity\service.exe, it sequentially attempts to execute:
- C:\Program.exe
- C:\Program Files\Common.exe
- C:\Program Files\Common Files\ActivIdentity\service.exe
This behavior creates an opportunity for privilege escalation. If an attacker can write a malicious executable to one of these intermediate paths (such as C:\Program.exe or C:\Program Files\Common.exe), and the service runs with elevated privileges (typically SYSTEM), the attacker's code will execute with those same elevated privileges when the service starts.
Root Cause
The root cause of this vulnerability is the improper registration of the ac.sharedstore service in the Windows Service Control Manager. The service's ImagePath registry value contains the executable path without surrounding quotation marks. This is a common misconfiguration during software installation where developers fail to properly quote paths that contain spaces.
Attack Vector
The attack vector is local, requiring the attacker to have write access to a directory in the unquoted path hierarchy. Exploitation typically involves the following steps:
The attacker first identifies the vulnerable service by querying the Windows registry or using tools like wmic to find services with unquoted paths. Once the ac.sharedstore service is identified, the attacker crafts a malicious executable (such as a reverse shell or payload) and places it at one of the exploitable path locations. The attacker then waits for or triggers a service restart, at which point the malicious executable runs with the service's privileges.
For detailed technical information on this vulnerability, refer to the VulnCheck Advisory and Exploit-DB #49703.
Detection Methods for CVE-2021-47859
Indicators of Compromise
- Unexpected executables appearing in C:\Program.exe, C:\Program Files\Common.exe, or C:\Program Files\Common Files\ActivIdentity\ directories
- Unusual process execution originating from the ac.sharedstore service context
- New files with .exe extension in root directories or parent directories of the ActivIdentity installation path
- Service startup failures or unexpected service behavior for ac.sharedstore
Detection Strategies
- Monitor Windows file system events for new executable files created in C:\, C:\Program Files\, or C:\Program Files\Common Files\ directories
- Audit service configurations using PowerShell or WMIC to identify services with unquoted paths containing spaces
- Implement endpoint detection rules to alert on process execution chains where the parent process is the ac.sharedstore service but the child process is not the expected legitimate executable
- Use SentinelOne's behavioral AI to detect anomalous execution patterns associated with privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for service state changes (Event IDs 7035, 7036, 7045)
- Configure file integrity monitoring (FIM) on critical system directories that could be exploited via unquoted paths
- Deploy SentinelOne agents with process monitoring to track service executable paths and identify deviations from baseline configurations
- Regularly scan systems for unquoted service path vulnerabilities using security assessment tools
How to Mitigate CVE-2021-47859
Immediate Actions Required
- Audit all installed services on affected systems to identify unquoted service paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
- Manually correct the ac.sharedstore service path in the Windows registry by adding quotation marks around the executable path
- Restrict write permissions on directories in the service path hierarchy to prevent unauthorized file placement
- Monitor the HID Global vendor site for official patches or updated installers that address this vulnerability
Patch Information
No official vendor patch information is currently available in the CVE data. Organizations should contact HID Global directly for guidance on obtaining a patched version of ActivIdentity that properly quotes service paths during installation. As a preventive measure, ensure any software updates or reinstallations are tested to verify the service path is properly quoted.
Workarounds
- Manually add quotation marks to the service's ImagePath registry value located at HKLM\SYSTEM\CurrentControlSet\Services\ac.sharedstore
- Implement strict access controls on directories that could be exploited (e.g., C:\Program Files\, C:\Program Files\Common Files\)
- Use application whitelisting to prevent unauthorized executables from running in critical system paths
- Consider isolating systems running ActivIdentity 8.2 until a proper fix can be applied
# PowerShell command to fix unquoted service path
# Run as Administrator
$serviceName = "ac.sharedstore"
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
$imagePath = (Get-ItemProperty -Path $regPath).ImagePath
if ($imagePath -notmatch '^"') {
Set-ItemProperty -Path $regPath -Name ImagePath -Value "`"$imagePath`""
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
