CVE-2021-47864 Overview
CVE-2021-47864 is an unquoted service path vulnerability affecting OSAS Traverse Extension 11. The vulnerability exists in the TravExtensionHostSvc service, which runs with LocalSystem privileges—the highest privilege level on Windows systems. Due to improper quoting of the service executable path, attackers with local access can exploit this weakness to inject and execute malicious code, potentially gaining full system-level access.
Critical Impact
Local attackers can escalate privileges to LocalSystem by exploiting the unquoted service path, enabling complete system compromise and persistent access.
Affected Products
- OSAS Traverse Extension 11
- TravExtensionHostSvc Windows Service
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47864 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47864
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common weakness in Windows service configurations. When a Windows service executable path contains spaces and is not properly enclosed in quotation marks, the Windows Service Control Manager (SCM) parses the path incorrectly, attempting to locate executables at various points along the path before finding the intended target.
The TravExtensionHostSvc service runs with LocalSystem privileges, which represents the most powerful user context on a Windows system. This privilege level has unrestricted access to all local resources and can act as the machine on the network. The combination of an unquoted path with elevated service privileges creates a dangerous privilege escalation vector.
An attacker who can write files to specific locations in the service path can plant a malicious executable that Windows will execute instead of the legitimate service binary. When the service starts (either manually, at system boot, or upon restart after a crash), the malicious code runs with LocalSystem privileges.
Root Cause
The root cause of this vulnerability is the failure to properly quote the service binary path during installation or configuration of the OSAS Traverse Extension 11 software. When the service path contains spaces (e.g., C:\Program Files\OSAS\Traverse Extension\TravExtensionHostSvc.exe), Windows interprets each space as a potential argument delimiter if the path is unquoted. This causes Windows to search for executables in the following order:
- C:\Program.exe
- C:\Program Files\OSAS\Traverse.exe
- C:\Program Files\OSAS\Traverse Extension\TravExtensionHostSvc.exe
The first matching executable found will be executed instead of the intended service binary.
Attack Vector
The attack requires local access to the system with sufficient privileges to write files to one of the exploitable path locations. In many environments, the C:\ root directory or other intermediate directories may have overly permissive write access configured, making exploitation feasible for standard users.
The attack flow typically involves:
- Identifying the unquoted service path through service enumeration
- Determining which intermediate paths have writable permissions
- Placing a malicious executable (named appropriately, such as Program.exe or Traverse.exe) in the writable location
- Triggering a service restart or waiting for system reboot
- The malicious code executes with LocalSystem privileges
The vulnerability can be verified by querying the service configuration. An unquoted path will appear as a raw path string without surrounding quotation marks, while a properly configured service will show the path enclosed in quotes.
Detection Methods for CVE-2021-47864
Indicators of Compromise
- Unexpected executable files in C:\ root directory (e.g., Program.exe)
- Executable files with names matching path components in C:\Program Files\ subdirectories
- Unusual service start failures followed by successful starts
- Evidence of privilege escalation from standard user accounts to SYSTEM
Detection Strategies
- Query all Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^\"' -and $_.PathName -match ' ' }
- Monitor file creation events in common exploitation directories such as C:\ and C:\Program Files\
- Implement application whitelisting to prevent execution of unexpected binaries
- Use SentinelOne's behavioral AI to detect anomalous process creation from service contexts
Monitoring Recommendations
- Enable Windows Security Event logging for service installation and modification events (Event IDs 7045, 7040)
- Monitor process creation events where the parent process is services.exe with unexpected child processes
- Track file system changes in directories that match unquoted service path components
- Configure alerts for any process named Program.exe or similar suspicious executable names
How to Mitigate CVE-2021-47864
Immediate Actions Required
- Audit all installed services for unquoted paths and remediate immediately
- Verify file system permissions on directories within the service path to ensure standard users cannot write to them
- Consider disabling the TravExtensionHostSvc service if not business-critical until remediation is complete
- Apply the principle of least privilege to all service accounts
Patch Information
No vendor patch information is currently available for this vulnerability. OSAS has been archived and the product may no longer receive security updates. Organizations using OSAS Traverse Extension 11 should consider the manual remediation steps below or evaluate migration to supported software alternatives.
For technical details and verified exploit information, see Exploit-DB #49698 and the Vulncheck Advisory on OSAS.
Workarounds
- Manually fix the unquoted service path by modifying the registry entry for the affected service
- Restrict write permissions on all directories in the service path hierarchy
- Implement application control policies to block unauthorized executables from running
- Consider replacing the vulnerable software with a supported alternative if the vendor is no longer active
# Manual registry fix to quote the service path
# Run as Administrator in Command Prompt
sc config TravExtensionHostSvc binPath= "\"C:\Program Files\OSAS\Traverse Extension\TravExtensionHostSvc.exe\""
# Alternative: Use Registry Editor to modify
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TravExtensionHostSvc
# Edit ImagePath value to include surrounding quotes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
