CVE-2022-50902 Overview
CVE-2022-50902 is an unquoted service path vulnerability affecting Wondershare FamiSafe 1.0, a parental control application. The FSService component contains an unquoted service path that allows local users with limited privileges to potentially execute arbitrary code with elevated LocalSystem permissions. This type of vulnerability occurs when a Windows service executable path contains spaces but is not enclosed in quotation marks, enabling attackers to place malicious executables in strategic locations along the path.
Critical Impact
Local attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that executes with LocalSystem permissions during service startup, achieving full system compromise.
Affected Products
- Wondershare FamiSafe 1.0
- FSService (Windows Service Component)
- Systems running FamiSafe on Windows with default installation paths
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50902 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50902
Vulnerability Analysis
This vulnerability stems from improper configuration of the FSService Windows service path. When the FamiSafe application is installed to the default directory C:\Program Files (x86)\Wondershare\FamiSafe\, the service registration does not properly quote the executable path. Windows service paths that contain spaces must be enclosed in quotation marks to ensure the operating system correctly identifies the executable location.
Without proper quoting, Windows attempts to locate and execute files at each space boundary in the path before finding the intended executable. An attacker with write access to directories earlier in the path resolution order can plant a malicious executable that Windows will execute instead of the legitimate service binary.
The FSService runs with LocalSystem privileges, which represents the highest level of access on a Windows system. Successfully exploiting this vulnerability grants an attacker complete control over the affected machine, including access to all local resources, credential stores, and the ability to persist and move laterally within an environment.
Root Cause
The root cause is an insecure default configuration during the FamiSafe installation process. The Windows service registration for FSService stores the executable path without surrounding quotation marks. For example, the path C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe should be stored as "C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe" in the Windows registry.
When the unquoted path is parsed by the Windows Service Control Manager (SCM), it interprets spaces as potential argument separators. This causes Windows to attempt execution in the following order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe
Attack Vector
This vulnerability requires local access to the target system. An attacker must have the ability to write files to strategic locations in the path hierarchy. Common exploitation scenarios include:
Path Hijacking via Writable Directories: If an attacker can write to C:\ or another directory in the path resolution chain, they can create a malicious executable named Program.exe or Files.exe. When the FSService starts (either during system boot or manual restart), Windows executes the malicious file with LocalSystem privileges.
Privilege Escalation from Low-Privilege User: A standard user account that has been compromised or is controlled by an insider threat can exploit this vulnerability to escalate privileges to SYSTEM level, bypassing standard Windows security controls.
The exploitation mechanism relies on the Windows path resolution behavior combined with service startup events. Technical details regarding the exploitation methodology can be found in the Exploit-DB #50757 entry and the VulnCheck Advisory.
Detection Methods for CVE-2022-50902
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Files.exe, or similar in C:\ or intermediate directories along the FamiSafe installation path
- Unusual process execution trees showing child processes spawned from FSService with unexpected executable paths
- Registry modifications to the FSService ImagePath value
- New executable files created in C:\Program Files (x86)\Wondershare\ with names that match path component boundaries
Detection Strategies
- Query Windows services for unquoted service paths using WMI or PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -match ' ' -and $_.PathName -notmatch '"'}
- Monitor file creation events in root directories (C:\) and program directories for executables named after path components
- Implement behavioral detection for processes spawned by services that don't match expected service executable hashes
- Alert on privilege escalation events where low-privilege users suddenly gain SYSTEM-level access
Monitoring Recommendations
- Enable Windows Security Event logging for service state changes (Event ID 7045 for new service installation, Event ID 7036 for service state changes)
- Deploy endpoint detection rules to flag execution of Program.exe or Files.exe from the root drive
- Monitor registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSService for unauthorized modifications
- Implement file integrity monitoring on the FamiSafe installation directory
How to Mitigate CVE-2022-50902
Immediate Actions Required
- Verify if Wondershare FamiSafe 1.0 is installed on systems within your environment using software inventory tools
- Manually quote the service path in the Windows registry by navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSService and enclosing the ImagePath value in quotation marks
- Restrict write permissions to C:\ and intermediate directories in the service path to prevent malicious file placement
- Consider temporarily disabling the FSService until a vendor patch is applied
Patch Information
Check the Wondershare Official Website for updated versions of FamiSafe that address this vulnerability. Ensure you upgrade to the latest available version that properly quotes the service path during installation. Review the VulnCheck Advisory for additional guidance on remediation.
Workarounds
- Manually fix the unquoted service path by adding quotation marks around the ImagePath value in the Windows registry
- Implement application whitelisting solutions to prevent unauthorized executables from running, even if placed in exploitation paths
- Use least-privilege principles to restrict user write access to system directories
- Deploy endpoint protection solutions like SentinelOne that can detect and prevent privilege escalation attempts
# Registry fix command (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FSService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
