CVE-2022-50808 Overview
CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element).
Critical Impact
Local privilege escalation to SYSTEM-level access through malicious executable placement in unquoted service path
Affected Products
- CoolerMaster MasterPlus version 1.8.5
- MPService component
- Windows installations with MasterPlus software
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50808 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50808
Vulnerability Analysis
The vulnerability exists within the MPService Windows service installed as part of CoolerMaster MasterPlus 1.8.5. The service executable path is registered without proper quotation marks, creating an exploitable condition when the path contains spaces. Windows service path parsing behavior attempts to locate executables at intermediate path locations when quotes are missing, enabling attackers with local access to plant malicious binaries that execute with SYSTEM privileges.
This unquoted service path vulnerability requires local access to the system but provides a reliable path to privilege escalation. The attack does not require user interaction beyond initial local system access, as code execution is triggered automatically during service startup or system reboot events.
Root Cause
The root cause is improper registration of the MPService executable path in the Windows service configuration. When the service path contains spaces (such as C:\Program Files\Cooler Master\...) and is not enclosed in quotation marks, Windows attempts to parse the path at each space boundary. This behavior allows an attacker to place a malicious executable at an intermediate path location (e.g., C:\Program.exe) that will be executed instead of the legitimate service binary.
Attack Vector
The attack requires local system access with sufficient privileges to write files to strategic path locations. An attacker can exploit this vulnerability by:
- Identifying the unquoted service path used by MPService
- Creating a malicious executable named to match an intermediate path component
- Placing the executable in a writable location along the service path
- Waiting for service restart or triggering a system reboot
- The malicious binary executes with SYSTEM privileges when the service starts
The vulnerability is exploited through the local attack vector, requiring the attacker to first gain local access to the target system before escalating privileges.
Detection Methods for CVE-2022-50808
Indicators of Compromise
- Presence of unexpected executables in C:\ root directory or C:\Program Files\ parent directories (e.g., Program.exe, Cooler.exe)
- Unusual process execution from root or unexpected directories with SYSTEM privileges
- Service startup logs showing execution of binaries outside expected installation paths
Detection Strategies
- Monitor Windows Event Logs for service startup failures or unusual service behavior related to MPService
- Implement file integrity monitoring on common exploitation paths (C:\Program.exe, C:\Program Files\Cooler.exe)
- Use endpoint detection tools to identify process creation events from unexpected paths running as SYSTEM
- Query Windows service configurations for unquoted paths using wmic service get name,displayname,pathname,startmode
Monitoring Recommendations
- Deploy behavioral analysis to detect privilege escalation attempts targeting Windows services
- Alert on file creation events in root and Program Files directories by non-administrative users
- Monitor for modifications to service configurations or new service registrations
- Implement SentinelOne Singularity Platform for real-time detection of privilege escalation techniques
How to Mitigate CVE-2022-50808
Immediate Actions Required
- Verify the MPService path configuration and manually add quotation marks around the service path in the registry
- Remove any suspicious executables from common exploitation paths (C:\Program.exe, etc.)
- Restrict write permissions to directories in the service path to prevent malicious binary placement
- Apply the principle of least privilege for local user accounts
Patch Information
Organizations should check the Cooler Master Product Page for updated versions of MasterPlus that address this vulnerability. Additional technical details are available in the VulnCheck Advisory for Cooler Master and Exploit-DB #51159.
Workarounds
- Manually fix the unquoted service path by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\MPService\ImagePath to include proper quotation marks
- Consider uninstalling MasterPlus software if not essential until a patched version is available
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use Windows Defender Credential Guard and other security features to limit impact of privilege escalation
# Registry fix command to quote the service path (run as Administrator)
# First, backup the current registry value, then update with quoted path
reg query "HKLM\SYSTEM\CurrentControlSet\Services\MPService" /v ImagePath
# Manually update the ImagePath value to include quotes around the full path
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
