CVE-2022-39959 Overview
CVE-2022-39959 is a privilege escalation vulnerability affecting Panini Everest Engine 2.0.4 on Windows systems. The vulnerability stems from an unquoted service path in the Everest Engine service, which runs with SYSTEM privileges. Unprivileged local users can exploit this flaw by placing a malicious executable named Everest.exe in the %PROGRAMDATA%\Panini folder. When the service starts, Windows path resolution may execute the attacker's Trojan horse instead of the legitimate EverestEngine.exe binary.
Critical Impact
Local privilege escalation to SYSTEM-level access through unquoted service path exploitation, enabling complete system compromise.
Affected Products
- Panini Everest Engine 2.0.4
- Microsoft Windows (all versions running affected Panini software)
Discovery Timeline
- 2022-10-07 - CVE CVE-2022-39959 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-39959
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a common Windows privilege escalation technique. The Panini Everest Engine service is configured to execute from the path %PROGRAMDATA%\Panini\Everest Engine\EverestEngine.exe. However, this path contains spaces and is not properly enclosed in quotation marks in the service configuration.
When Windows attempts to start a service with an unquoted path containing spaces, it follows a specific search order, attempting to execute binaries at each possible path interpretation. In this case, Windows will first look for %PROGRAMDATA%\Panini\Everest.exe before trying the intended full path. Since unprivileged users have write access to the %PROGRAMDATA%\Panini folder, an attacker can place a malicious Everest.exe file there.
When the Everest Engine service restarts (either manually, after a system reboot, or through other means), the malicious executable runs with SYSTEM privileges instead of the legitimate application, granting the attacker complete control over the affected system.
Root Cause
The root cause is improper service configuration during installation. The Panini Everest Engine installer failed to enclose the service executable path in quotation marks, combined with overly permissive directory permissions on the %PROGRAMDATA%\Panini folder that allow unprivileged users to write files.
Attack Vector
The attack requires local access to the target system. An attacker with low-privilege user credentials can exploit this vulnerability without any user interaction. The attacker creates a malicious executable named Everest.exe in the %PROGRAMDATA%\Panini directory and waits for the Everest Engine service to restart. Upon service restart, the malicious payload executes with SYSTEM privileges, providing the attacker with the highest level of Windows system access.
The exploitation path follows this sequence: the attacker identifies the vulnerable unquoted service path, creates a malicious payload binary, places it in the writable %PROGRAMDATA%\Panini directory as Everest.exe, and triggers a service restart through a system reboot or other means. Technical details and proof-of-concept information are available in the GitHub PoC Repository.
Detection Methods for CVE-2022-39959
Indicators of Compromise
- Presence of unexpected Everest.exe file in %PROGRAMDATA%\Panini\ directory
- Unauthorized file creation events in the %PROGRAMDATA%\Panini\ folder
- Suspicious process execution events where Everest.exe spawns from the Panini directory
- SYSTEM-level processes originating from non-standard Panini executable paths
Detection Strategies
- Monitor file system changes in %PROGRAMDATA%\Panini\ for creation of Everest.exe
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
- Implement file integrity monitoring on critical service directories
- Audit service startup events for unexpected executable paths
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688) with command-line auditing
- Configure Sysmon to monitor file creation events in %PROGRAMDATA%\ subdirectories
- Alert on any new executable files appearing in the Panini installation directory
- Monitor service control manager events (Event ID 7045) for service path modifications
How to Mitigate CVE-2022-39959
Immediate Actions Required
- Verify whether Everest.exe exists in %PROGRAMDATA%\Panini\ and remove if unauthorized
- Update the service path to include proper quotation marks around the full executable path
- Review and restrict directory permissions on %PROGRAMDATA%\Panini\ to prevent unprivileged write access
- Contact Panini for updated software versions that address this vulnerability
Patch Information
Consult the Panini News Announcement page for the latest information on patches and updated versions. Organizations should contact Panini directly to obtain patched versions of the Everest Engine software that properly quote the service path and implement secure directory permissions.
Workarounds
- Manually fix the unquoted path by modifying the service registry entry to include quotation marks
- Restrict write permissions on %PROGRAMDATA%\Panini\ to administrators only
- Implement application whitelisting to prevent unauthorized executables from running
- Use Windows Group Policy to restrict executable execution from data directories
# Fix the unquoted service path in Windows Registry
# Run as Administrator in Command Prompt
# First, verify the current service path
sc qc "EverestEngine"
# Update the service binary path with proper quotation marks
sc config "EverestEngine" binPath= "\"C:\ProgramData\Panini\Everest Engine\EverestEngine.exe\""
# Verify the fix was applied
sc qc "EverestEngine"
# Restrict directory permissions (PowerShell as Administrator)
# icacls "C:\ProgramData\Panini" /inheritance:d
# icacls "C:\ProgramData\Panini" /remove:g "Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
