CVE-2021-47862 Overview
CVE-2021-47862 is an unquoted service path vulnerability in Hi-Rez Studios 5.1.6.3 affecting the HiPatchService component. This local privilege escalation vulnerability allows attackers with local access to execute arbitrary code with elevated LocalSystem permissions by exploiting the improper handling of service executable paths containing spaces.
Critical Impact
Local attackers can gain LocalSystem privileges by placing a malicious executable in the unquoted service path, achieving complete system compromise during service startup or system reboot.
Affected Products
- Hi-Rez Studios 5.1.6.3
- HiPatchService component
- Windows installations with vulnerable Hi-Rez game clients
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47862 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47862
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration. When a Windows service is configured with an executable path containing spaces that is not properly enclosed in quotation marks, Windows interprets the path ambiguously during service startup. The HiPatchService in Hi-Rez Studios 5.1.6.3 suffers from this exact configuration flaw, allowing local attackers to hijack the service execution flow.
The vulnerability requires local access to the system, making it particularly relevant in multi-user environments, shared workstations, or systems already partially compromised. Once exploited, the attacker gains LocalSystem privileges—the highest privilege level on Windows systems—enabling complete control over the affected machine.
Root Cause
The root cause is the improper configuration of the HiPatchService executable path in the Windows registry. When the service path contains spaces (such as C:\Program Files\Hi-Rez Studios\HiPatchService.exe) and is not enclosed in quotation marks, Windows attempts to locate executables at each space-delimited segment of the path. This behavior creates an opportunity for attackers to place malicious executables at intermediate path locations.
For example, if an attacker places a file named Program.exe or Hi-Rez.exe in the C:\ or C:\Program Files\ directory respectively, Windows may execute this malicious file instead of the legitimate service executable when the service starts.
Attack Vector
The attack vector is local, requiring the attacker to have the ability to write files to directories in the unquoted service path. The exploitation process involves:
- Identifying the vulnerable unquoted service path for HiPatchService
- Determining which intermediate path locations are writable by the attacker
- Placing a malicious executable at a location that Windows will attempt to execute before reaching the legitimate service binary
- Triggering service restart through system reboot or manual service manipulation
- Gaining code execution with LocalSystem privileges when the malicious executable runs
The attacker's payload executes with the same permissions as the service—in this case, LocalSystem—providing complete administrative access to the compromised system.
Detection Methods for CVE-2021-47862
Indicators of Compromise
- Presence of unexpected executables in C:\Program.exe, C:\Program Files\Hi-Rez.exe, or similar intermediate path locations
- Unusual process execution originating from HiPatchService with suspicious child processes
- New or modified executables in the Hi-Rez Studios installation directory path segments
- Windows Event Log entries showing service start failures followed by unexpected process execution
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' }
- Monitor file creation events in root directories and Program Files for unexpected executables
- Implement application whitelisting to prevent unauthorized executables from running in service contexts
- Use endpoint detection tools to alert on privilege escalation patterns and suspicious LocalSystem process creation
Monitoring Recommendations
- Enable Windows Security Event Log auditing for process creation (Event ID 4688) with command line logging
- Configure file integrity monitoring on directories within common unquoted service paths
- Deploy SentinelOne's behavioral AI to detect privilege escalation attempts and anomalous service behavior
- Establish baseline service configurations and alert on deviations during service startup sequences
How to Mitigate CVE-2021-47862
Immediate Actions Required
- Audit the HiPatchService registry configuration and add quotation marks around the service executable path
- Scan for and remove any suspicious executables in intermediate path locations (C:\Program.exe, etc.)
- Restrict write permissions on directories that fall within the unquoted service path
- Update Hi-Rez Studios software to the latest version if a patched release is available
- Implement principle of least privilege to limit user ability to write to sensitive directories
Patch Information
Check the Hi-Rez Studios official website for the latest software updates that may address this vulnerability. Review the VulnCheck Advisory for detailed technical information and remediation guidance. Additional technical details are available through Exploit-DB #49701.
Workarounds
- Manually correct the service path by adding quotation marks in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\HiPatchService
- Remove write permissions for non-administrative users on the C:\ root directory and C:\Program Files\ folder
- Disable the HiPatchService if not required for game functionality until a proper patch is available
- Use Windows Group Policy to restrict executable permissions in affected path locations
# PowerShell command to identify and fix unquoted service paths
# First, identify the vulnerable service path
Get-WmiObject Win32_Service -Filter "Name='HiPatchService'" | Select-Object Name, PathName
# To fix, modify the registry value with proper quoting (requires administrative privileges)
# Example: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HiPatchService" -Name "ImagePath" -Value '"C:\Program Files\Hi-Rez Studios\HiPatchService\HiPatchService.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
