CVE-2021-47887 Overview
OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. This vulnerability exists due to improper handling of the service executable path, where spaces in the path C:\Program Files\Okidata\Print Job Accounting\ are not properly quoted. Attackers with local access can exploit this condition to inject malicious executables and escalate privileges on the affected system.
Critical Impact
Local attackers can exploit the unquoted service path to execute arbitrary code with elevated privileges, potentially leading to complete system compromise.
Affected Products
- OKI Print Job Accounting 4.4.10
- OkiJaSvc Windows Service
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47887 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47887
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a common configuration flaw in Windows services. The OkiJaSvc service is registered with an unquoted executable path containing spaces. When Windows attempts to start a service with an unquoted path containing spaces, it parses the path sequentially, attempting to execute each potential path segment as a binary.
For the path C:\Program Files\Okidata\Print Job Accounting\OkiJaSvc.exe, Windows will attempt to locate and execute in order: C:\Program.exe, C:\Program Files\Okidata\Print.exe, and C:\Program Files\Okidata\Print Job Accounting\OkiJaSvc.exe. If an attacker can place a malicious executable at one of these earlier path locations, their code will execute with the service's privileges instead of the legitimate service binary.
Root Cause
The root cause of this vulnerability is improper service registration in the Windows registry. When the OKI Print Job Accounting software is installed, the OkiJaSvc service path is stored without quotation marks enclosing the full path. This allows the Windows Service Control Manager to misinterpret path components separated by spaces as potential executable locations, creating a privilege escalation vector.
Attack Vector
The attack requires local access to the target system. An attacker must have write permissions to one of the directories in the unquoted path hierarchy (such as C:\ or C:\Program Files\Okidata\). The attacker places a malicious executable named Program.exe in the root of C:\ or Print.exe in C:\Program Files\Okidata\. When the OkiJaSvc service is started or restarted, Windows executes the attacker's binary with the elevated privileges of the service account, typically SYSTEM.
The exploitation mechanism leverages Windows' path parsing behavior. Since no verified code examples are available, the vulnerability can be understood through its exploitation flow: an attacker with local access identifies the unquoted service path using tools like wmic service get name,pathname or by querying the registry, then plants a malicious executable at one of the intermediate path locations. Upon service restart, the malicious code executes with elevated privileges. For detailed technical information, see the Exploit-DB #49623 advisory.
Detection Methods for CVE-2021-47887
Indicators of Compromise
- Presence of unexpected executables named Program.exe in C:\ or Print.exe in C:\Program Files\Okidata\
- Unusual child processes spawned by the OkiJaSvc service
- Modification of files in directories along the OKI Print Job Accounting installation path
- Unexpected registry modifications to the OkiJaSvc service ImagePath value
Detection Strategies
- Monitor for file creation events in C:\ for Program.exe or in service path directories for suspicious executables
- Use Windows Event Logs to track service start/stop events for OkiJaSvc with correlation to process creation
- Deploy endpoint detection rules to identify unquoted service path exploitation patterns
- Implement registry monitoring for changes to HKLM\SYSTEM\CurrentControlSet\Services\OkiJaSvc\ImagePath
Monitoring Recommendations
- Enable Windows Security Event ID 4688 (Process Creation) with command-line auditing
- Configure file integrity monitoring on directories within the affected service path
- Implement behavioral detection for processes spawned by services with unexpected parent-child relationships
- Monitor for privilege escalation indicators such as new SYSTEM-level processes from non-standard paths
How to Mitigate CVE-2021-47887
Immediate Actions Required
- Audit the OkiJaSvc service registry entry and manually add quotation marks around the ImagePath value
- Review file permissions on C:\ and C:\Program Files\Okidata\ to restrict write access
- Scan for any suspicious executables in the affected path hierarchy
- Consider disabling the OkiJaSvc service if not required for business operations
Patch Information
No official patch information is available from the vendor. The OKI Print Job Accounting product page has been archived. Administrators should manually remediate by quoting the service path in the Windows registry or contact OKI support for guidance. Additional information can be found in the VulnCheck Advisory for OKI Service.
Workarounds
- Manually quote the service path by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\OkiJaSvc\ImagePath to include quotation marks around the full path
- Restrict write permissions on all directories in the service path to administrators only
- Implement application whitelisting to prevent unauthorized executables from running
- Consider uninstalling OKI Print Job Accounting if the software is not actively required
# Registry fix to quote the service path
reg add "HKLM\SYSTEM\CurrentControlSet\Services\OkiJaSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Okidata\Print Job Accounting\OkiJaSvc.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
