CVE-2021-47880 Overview
CVE-2021-47880 is an unquoted service path vulnerability affecting Realtek Wireless LAN Utility version 700.1631. This flaw allows local users to potentially execute arbitrary code with elevated system privileges by exploiting how Windows handles unquoted service paths containing spaces. When the service starts, Windows may incorrectly interpret the path and execute a malicious executable placed strategically in the system root directory.
Critical Impact
Local attackers with low privileges can achieve privilege escalation to SYSTEM level by placing a malicious executable in the system root path, which executes during application startup or system reboot.
Affected Products
- Realtek Wireless LAN Utility version 700.1631
- Windows systems running the affected Realtek wireless utility
- Systems with the RtlNsu service installed
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47880 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47880
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration issue. The Realtek Wireless LAN Utility installs a service with an executable path that is not enclosed in quotation marks. When the service path contains spaces and is unquoted, Windows attempts to locate the executable by parsing the path at each space character.
For example, if the service path is C:\Program Files\Realtek\Wireless LAN Utility\service.exe, Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files\Realtek\Wireless.exe
- C:\Program Files\Realtek\Wireless LAN Utility\service.exe
An attacker with write access to C:\ or intermediate directories can place a malicious executable (e.g., Program.exe) that will be executed with the privileges of the service account—typically SYSTEM.
Root Cause
The root cause is improper quoting of the service executable path during the installation of Realtek Wireless LAN Utility 700.1631. The installer registers the service with an unquoted path in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtlNsu. This oversight allows the operating system to misinterpret path segments when spaces exist in directory names, leading to unintended executable resolution.
Attack Vector
This is a local attack vector requiring an attacker to have local access to the vulnerable system with write permissions to directories in the service path. The attacker must:
- Identify the unquoted service path in the Windows registry
- Determine writable locations along the path where a malicious executable can be planted
- Place a crafted executable (e.g., Program.exe or Wireless.exe) in the target directory
- Wait for a system reboot or service restart to trigger execution
The malicious payload will then execute with SYSTEM privileges when the vulnerable service starts. Technical details and proof-of-concept information are available at Exploit-DB #49646 and the VulnCheck Advisory.
Detection Methods for CVE-2021-47880
Indicators of Compromise
- Unexpected executables appearing in C:\ root directory (e.g., Program.exe, Wireless.exe)
- Unusual process execution originating from the SYSTEM account in non-standard paths
- Registry modifications to the RtlNsu service path
- New files with executable extensions in directories along the Realtek service path
Detection Strategies
- Query the Windows registry for unquoted service paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in C:\ and C:\Program Files\ for unexpected executables
- Implement application whitelisting to prevent unauthorized executable execution
- Use SentinelOne's behavioral AI to detect anomalous process spawning from service contexts
Monitoring Recommendations
- Enable Windows Security Event logging for service-related events (Event IDs 7045, 7040)
- Configure file integrity monitoring on system directories to detect new executable files
- Regularly audit service configurations for unquoted paths across the enterprise
- Deploy SentinelOne Singularity platform for real-time detection of privilege escalation attempts
How to Mitigate CVE-2021-47880
Immediate Actions Required
- Audit the system for the presence of the vulnerable Realtek Wireless LAN Utility 700.1631
- Manually correct the service path by adding quotation marks around the executable path in the registry
- Remove any suspicious executables from C:\ and intermediate directories in the service path
- Restrict write permissions on system root and Program Files directories to administrators only
Patch Information
At the time of publication, check the Realtek Official Website for updated driver and utility packages that address this vulnerability. Users should upgrade to the latest version of the Realtek Wireless LAN Utility that properly quotes the service path during installation.
Workarounds
- Manually fix the registry entry by enclosing the service path in quotes: navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtlNsu and modify the ImagePath value
- Implement strict access controls to prevent non-administrative users from writing to system directories
- Use Windows Defender Application Control or similar solutions to block execution of unsigned executables
- Deploy endpoint detection and response (EDR) solutions like SentinelOne to monitor for exploitation attempts
# PowerShell command to fix unquoted service path
$serviceName = "RtlNsu"
$service = Get-WmiObject win32_service | Where-Object {$_.Name -eq $serviceName}
$currentPath = $service.PathName
if ($currentPath -notlike '"*"') {
$newPath = '"' + $currentPath + '"'
sc.exe config $serviceName binpath= $newPath
Write-Output "Service path updated to: $newPath"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
