CVE-2021-47945 Overview
CVE-2021-47945 is an unquoted service path vulnerability in Argus Surveillance DVR 4.0. The flaw resides in the DVRWatchdog service, which registers its binary path without enclosing quotation marks. When the Windows Service Control Manager parses the path, it interprets each space-delimited token as a potential executable. A local attacker with write access to an intermediate directory can place a malicious binary that executes with LocalSystem privileges when the service starts. The weakness is classified under CWE-428: Unquoted Search Path or Element.
Critical Impact
Successful exploitation grants LocalSystem privileges on the host, allowing full control over the affected DVR system.
Affected Products
- Argus Surveillance DVR 4.0
- DVRWatchdog Windows service component
- Installations placing binaries under C:\Program Files\ paths containing spaces
Discovery Timeline
- 2026-05-10 - CVE-2021-47945 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2021-47945
Vulnerability Analysis
The DVRWatchdog service is registered with an unquoted ImagePath value in the Windows registry. Windows parses unquoted paths containing spaces by attempting to execute each whitespace-delimited prefix as a binary. For a path such as C:\Program Files\Argus Surveillance\DVR\Watchdog.exe, the Service Control Manager will sequentially attempt to run C:\Program.exe, C:\Program Files\Argus.exe, and C:\Program Files\Argus Surveillance\DVR.exe before reaching the intended binary.
This behavior creates a hijack opportunity. Any account with write permissions to one of the intermediate directories can drop a payload that the SCM will execute under the service account context.
Root Cause
The root cause is improper quoting of the service binary path during installation. The vendor registered the service without surrounding the executable path in double quotes, leaving the Windows path parser to treat the space as a delimiter. The vulnerability is a configuration-level flaw rather than a memory safety issue, and it is fully described by [CWE-428].
Attack Vector
An attacker requires local access and the ability to write to a directory along the unquoted path. On default installations, C:\Program Files\ is typically restricted to administrators, which limits exploitability. However, when administrators relax permissions on subdirectories or when the application is installed to a non-default writable path, a low-privileged user can plant a malicious executable. Privilege escalation occurs automatically the next time the host reboots or the DVRWatchdog service restarts. See the VulnCheck Advisory on Argus DVR and Exploit-DB #50261 for additional technical context.
Detection Methods for CVE-2021-47945
Indicators of Compromise
- Unexpected executables such as Program.exe, Argus.exe, or DVR.exe placed in root or intermediate directories of the installation path
- Service start events for DVRWatchdog followed by process creation under NT AUTHORITY\SYSTEM from non-standard binaries
- Modified Access Control Lists (ACLs) on C:\Program Files\Argus Surveillance\ or parent directories permitting write access to non-administrative users
Detection Strategies
- Audit the HKLM\SYSTEM\CurrentControlSet\Services\DVRWatchdog registry key and inspect the ImagePath value for missing quotation marks around paths containing spaces.
- Enumerate Windows services with wmic service get name,pathname,startmode and flag any entries where the path contains spaces but is not enclosed in quotes.
- Monitor Sysmon Event ID 1 (process create) for child processes of services.exe originating from unexpected file paths.
Monitoring Recommendations
- Establish baseline file integrity monitoring on the Argus DVR installation directory and parent folders.
- Alert on writes to C:\ root or C:\Program Files\ performed by non-administrative accounts.
- Track service configuration changes via Windows Event ID 7045 (service installed) and 4697 (service installation audit).
How to Mitigate CVE-2021-47945
Immediate Actions Required
- Inventory all hosts running Argus Surveillance DVR 4.0 and identify services with unquoted ImagePath values.
- Manually correct the registry ImagePath for DVRWatchdog by wrapping the binary path in double quotes.
- Restrict NTFS permissions on C:\ and C:\Program Files\ so that only administrators can create or modify files.
Patch Information
No vendor patch is referenced in the available advisories. Administrators must apply manual configuration remediation. Consult Exploit-DB #50261 and the VulnCheck Advisory on Argus DVR for additional remediation guidance.
Workarounds
- Reconfigure the DVRWatchdog service ImagePath registry value to enclose the full executable path in double quotes.
- Remove write and modify permissions for non-privileged users on every directory along the service binary path.
- Where the application is not required, uninstall Argus Surveillance DVR 4.0 to eliminate the exposure.
# Configuration example
# Inspect the current ImagePath for the vulnerable service
reg query "HKLM\SYSTEM\CurrentControlSet\Services\DVRWatchdog" /v ImagePath
# Correct the unquoted ImagePath (run as administrator)
sc config DVRWatchdog binPath= "\"C:\Program Files\Argus Surveillance\DVR\Watchdog.exe\""
# Verify the change
wmic service where "name='DVRWatchdog'" get name,pathname
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
