CVE-2021-47874 Overview
CVE-2021-47874 is an unquoted service path vulnerability affecting VFS for Git (Virtual File System for Git) version 1.0.21014.1. The vulnerability exists in the GVFS.Service Windows service, which is installed with an unquoted binary path containing spaces. This configuration flaw allows local attackers with limited privileges to execute arbitrary code with LocalSystem privileges by placing a malicious executable in a location that Windows will search before the legitimate service binary.
Critical Impact
Local attackers can achieve privilege escalation to LocalSystem by exploiting the unquoted service path, gaining complete control over the affected Windows system during service startup or system reboot.
Affected Products
- VFS for Git 1.0.21014.1
- GVFS.Service Windows Service Component
- Windows systems with VFS for Git installed in paths containing spaces
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47874 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47874
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a well-known Windows service misconfiguration that has been exploited for privilege escalation for many years. When VFS for Git is installed, the GVFS.Service is registered with a service binary path that is not enclosed in quotation marks. If the installation path contains spaces (which is common for paths under C:\Program Files), Windows service control manager (SCM) will attempt to resolve the path by checking multiple locations.
The local attack vector requires an attacker to have write access to directories that Windows will search before reaching the legitimate service executable. When the service starts (either manually, automatically at boot, or upon system reboot), Windows will execute the malicious binary with the elevated privileges of the service account—in this case, LocalSystem, which has the highest privilege level on a Windows system.
Root Cause
The root cause is improper service registration during the VFS for Git installation process. When the Windows service is created, the ImagePath registry value under HKLM\SYSTEM\CurrentControlSet\Services\GVFS.Service stores the path to the service executable without surrounding quotation marks. For paths containing spaces, such as C:\Program Files\GVFS\GVFS.Service.exe, Windows interprets this as potentially multiple components and searches for executables in the following order:
- C:\Program.exe
- C:\Program Files\GVFS\GVFS.Service.exe
If an attacker can place a malicious executable named Program.exe in the C:\ directory (or similar locations depending on the path structure), it will be executed instead of the legitimate service binary.
Attack Vector
The attack requires local access to the vulnerable system with sufficient privileges to write files to directories that Windows will search during path resolution. The exploitation flow involves:
- Identifying the unquoted service path in the GVFS.Service registry entry
- Determining which directories the attacker has write access to
- Placing a malicious executable (e.g., Program.exe) in the appropriate location
- Waiting for or triggering a service restart or system reboot
- The malicious payload executes with LocalSystem privileges
This vulnerability is documented in public exploit databases. Technical details and proof-of-concept information can be found in the Exploit-DB #49661 entry and the VulnCheck Advisory for VFS for Git.
Detection Methods for CVE-2021-47874
Indicators of Compromise
- Unexpected executables named Program.exe or similar in root directories or intermediate path locations
- New or modified files in C:\ or C:\Program Files\ directories that do not match legitimate software
- Service execution events showing unusual parent-child process relationships with GVFS.Service
- Registry modifications to the GVFS.Service ImagePath value
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match '\s'}
- Monitor for file creation events in directories that could be exploited (e.g., C:\Program.exe)
- Implement application whitelisting to prevent execution of unauthorized binaries from sensitive locations
- Use endpoint detection and response (EDR) solutions to monitor service startup behavior and privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for process creation events (Event ID 4688) with command line auditing
- Monitor service control manager events (Event ID 7045) for new service installations
- Implement file integrity monitoring on root directories and Program Files paths
- Alert on processes spawned by services that do not match expected executable hashes
How to Mitigate CVE-2021-47874
Immediate Actions Required
- Manually correct the service path by adding quotation marks to the GVFS.Service registry entry
- Audit the system for any suspicious executables in locations that could be exploited
- Restrict write permissions on directories in the service path hierarchy
- Consider temporarily disabling the GVFS.Service until the path is corrected
Patch Information
Organizations should check the VFS for Git Project for updated versions that address this vulnerability with a properly quoted service path during installation. Review the VulnCheck Advisory for the latest remediation guidance.
Workarounds
- Manually fix the registry entry by adding quotation marks around the ImagePath value
- Use the sc config command to reconfigure the service with a properly quoted path
- Implement strict file system permissions to prevent unauthorized write access to exploitable directories
- Deploy application control policies to block execution of unsigned binaries from non-standard locations
# Configuration example - Fix unquoted service path via registry
# Open Registry Editor and navigate to:
# HKLM\SYSTEM\CurrentControlSet\Services\GVFS.Service
# Modify ImagePath from:
# C:\Program Files\GVFS\GVFS.Service.exe
# To:
# "C:\Program Files\GVFS\GVFS.Service.exe"
# Alternative: Use sc.exe command (run as Administrator)
sc config "GVFS.Service" binPath= "\"C:\Program Files\GVFS\GVFS.Service.exe\""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
