CVE-2021-47890 Overview
CVE-2021-47890 is an unquoted service path vulnerability affecting LogonExpert 8.1. The LogonExpertSvc service runs with LocalSystem privileges and contains an improperly quoted executable path. This misconfiguration allows local attackers to plant malicious executables in intermediate directories along the service path, potentially achieving elevated system access when the service starts.
Critical Impact
Local attackers with write access to intermediate directories can achieve LocalSystem privilege escalation by exploiting the unquoted service path during service startup.
Affected Products
- LogonExpert 8.1
- LogonExpertSvc Windows Service
Discovery Timeline
- 2026-01-23 - CVE CVE-2021-47890 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2021-47890
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration issue. When a Windows service executable path contains spaces and is not properly enclosed in quotation marks, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path at each space character.
For example, if the service path is C:\Program Files\LogonExpert\LogonExpertSvc.exe, Windows will attempt to execute files in the following order:
- C:\Program.exe
- C:\Program Files\LogonExpert\LogonExpertSvc.exe
An attacker who can write to C:\ or other intermediate directories can place a malicious executable named Program.exe that will be executed with LocalSystem privileges when the service starts.
Root Cause
The root cause stems from improper installation configuration where the service executable path was registered without surrounding quotation marks. The LogonExpert installer failed to properly quote the service binary path in the Windows registry, leaving the ImagePath value vulnerable to path injection attacks. This is a common oversight in software installers that do not follow Windows service path quoting best practices.
Attack Vector
The attack requires local access to the target system with write permissions to one of the directories in the service path hierarchy. When these conditions are met, the attacker performs the following steps:
- Identify the unquoted service path using wmic service get name,pathname,startmode
- Verify write permissions to an intermediate directory (e.g., C:\ or C:\Program Files\)
- Place a malicious executable at the injection point (e.g., C:\Program.exe)
- Wait for service restart or trigger a system reboot
- The malicious payload executes with LocalSystem privileges
Since no verified code examples are available, technical exploitation details can be found at the Exploit-DB #49586 advisory and the VulnCheck Advisory.
Detection Methods for CVE-2021-47890
Indicators of Compromise
- Unexpected executable files in C:\ directory such as Program.exe
- Unusual files in C:\Program Files\ with names matching partial directory paths
- New executables created in directories that are not typical installation locations
- Service startup failures or unexpected service behavior for LogonExpertSvc
Detection Strategies
- Query Windows services for unquoted paths using wmic service get name,pathname,startmode | findstr /i /v """"
- Monitor for file creation events in root directories and Program Files parent folders
- Implement file integrity monitoring on critical system paths
- Use endpoint detection tools to identify binaries executing from unexpected locations with SYSTEM privileges
Monitoring Recommendations
- Enable Windows Security Event logging for service control manager events (Event IDs 7045, 7000, 7009)
- Deploy SentinelOne Singularity to detect anomalous process execution chains originating from service startup
- Configure alerts for new executable files created in C:\ and intermediate path directories
- Monitor for processes running as SYSTEM that originate from non-standard paths
How to Mitigate CVE-2021-47890
Immediate Actions Required
- Audit all Windows services for unquoted paths using built-in Windows tools or third-party scanners
- Manually correct the LogonExpertSvc service path by adding quotation marks in the registry
- Remove any suspicious executables from C:\ and intermediate directories
- Restrict write permissions on root and program directories to administrators only
Patch Information
No official vendor patch information is available in the CVE data. Organizations should contact Softros Systems (the vendor) directly for updated installer packages. The Softros Company Website may contain updated versions that address this vulnerability. Alternatively, administrators can manually remediate by modifying the service configuration in the Windows registry.
Workarounds
- Manually quote the service path in the Windows registry at HKLM\SYSTEM\CurrentControlSet\Services\LogonExpertSvc\ImagePath
- Remove write permissions from intermediate directories for non-administrative users
- Consider running the service under a less privileged account if functionality allows
- Implement application whitelisting to prevent unauthorized executables from running
# Configuration example - Fix unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LogonExpertSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\LogonExpert\LogonExpertSvc.exe\"" /f
# Verify the change
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LogonExpertSvc" /v ImagePath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
