CVE-2021-47866 Overview
CVE-2021-47866 is an unquoted service path vulnerability affecting WIN-PACK PRO 4.8, specifically in the GuardTourService component. This security flaw allows local users to potentially execute arbitrary code with elevated system privileges by exploiting the improperly quoted service path configuration.
The vulnerability exists because the Windows service path C:\Program Files (x86)\WINPAKPRO\WP GuardTour Service.exe contains spaces but is not enclosed in quotation marks. When Windows attempts to start the service, it interprets the path ambiguously, potentially executing a malicious binary placed in a strategic location within the path hierarchy.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM level by placing a malicious executable in the unquoted service path, which executes with elevated privileges during service startup.
Affected Products
- WIN-PACK PRO 4.8
- GuardTourService component
- Honeywell WIN-PAK access control systems
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47866 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47866
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a well-documented Windows privilege escalation technique. The root issue stems from how Windows parses executable paths containing spaces when the path is not properly quoted in the service configuration.
When a Windows service is configured with an unquoted path containing spaces, the Service Control Manager (SCM) attempts to locate the executable by progressively parsing the path at each space. For the vulnerable path C:\Program Files (x86)\WINPAKPRO\WP GuardTour Service.exe, Windows will attempt to execute in order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\WINPAKPRO\WP.exe
- C:\Program Files (x86)\WINPAKPRO\WP GuardTour.exe
- Finally, the intended executable
An attacker with local write access to any of these intermediate paths can plant a malicious executable that will be executed with the service's privileges (typically SYSTEM) when the service starts.
Root Cause
The vulnerability originates from improper service registration in the Windows registry. The GuardTourService path was stored without enclosing quotation marks, violating Windows security best practices for service path definitions. This configuration error allows the Windows path parsing mechanism to be exploited for privilege escalation.
Attack Vector
This is a local attack vector requiring the attacker to have local access to the system with sufficient permissions to write to one of the intermediate path locations. The most common exploitation scenario involves:
- Attacker gains local user access to the target system
- Attacker creates a malicious executable named WP.exe in C:\Program Files (x86)\WINPAKPRO\
- When the GuardTourService restarts (either manually or during system reboot), the malicious WP.exe is executed with SYSTEM privileges
- Attacker achieves privilege escalation
The vulnerability exploitation details are documented in the Exploit-DB #49690 advisory. The attack requires local access but does not require user interaction, making it particularly dangerous in multi-user environments or systems where low-privileged accounts have been compromised.
Detection Methods for CVE-2021-47866
Indicators of Compromise
- Unexpected executables in C:\Program Files (x86)\WINPAKPRO\ directory such as WP.exe, WP GuardTour.exe, or similar variants
- New or modified files in the WIN-PACK PRO installation directory with recent timestamps
- Unusual process execution under the GuardTourService parent process
- Service startup failures or unexpected behavior from the GuardTourService
Detection Strategies
- Query Windows services for unquoted service paths using wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
- Monitor the WIN-PACK PRO installation directory for newly created executable files
- Implement file integrity monitoring on critical system directories
- Review Windows Event Logs for service-related errors or suspicious process creation events
Monitoring Recommendations
- Enable Windows Security Event Log auditing for process creation (Event ID 4688)
- Configure alerts for new executable files created in Program Files directories
- Monitor service startup events for the GuardTourService
- Implement endpoint detection for privilege escalation attempts targeting Windows services
How to Mitigate CVE-2021-47866
Immediate Actions Required
- Audit all Windows services for unquoted paths using the detection command provided above
- Verify file permissions on the C:\Program Files (x86)\WINPAKPRO\ directory to prevent unauthorized write access
- Check for suspicious executables in the installation path hierarchy
- Contact Honeywell support for updated software versions addressing this vulnerability
Patch Information
Organizations should consult the Honeywell Product Repository for the latest WIN-PAK software updates and security patches. Additional technical details are available in the VulnCheck Advisory.
Workarounds
- Manually correct the service path by adding quotation marks to the ImagePath registry value for the GuardTourService
- Restrict write permissions on intermediate path directories to administrators only
- Implement application whitelisting to prevent unauthorized executables from running
- Consider temporarily disabling the GuardTourService if not critical to operations until a patch is applied
# Registry fix to quote the service path (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\GuardTourService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\WINPAKPRO\WP GuardTour Service.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
