CVE-2022-50904 Overview
CVE-2022-50904 is an unquoted service path vulnerability in Wondershare UBackit 2.0.5 that allows local users to potentially execute arbitrary code with elevated system privileges. The vulnerability exists in the wsbackup service, where the service executable path is not properly quoted. Attackers with local access can exploit this flaw to inject malicious executables that would run with LocalSystem permissions during service startup, leading to complete system compromise.
Critical Impact
Local privilege escalation to SYSTEM level access through unquoted service path exploitation in the wsbackup service.
Affected Products
- Wondershare UBackit 2.0.5
- wsbackup service component
- Windows installations with Wondershare UBackit
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50904 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50904
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a classic Windows privilege escalation technique. When a Windows service is configured with a path containing spaces that is not enclosed in quotation marks, the operating system's CreateProcess function attempts to locate the executable by parsing the path at each space. This creates an opportunity for attackers to place a malicious executable at one of the intermediate paths that Windows checks before reaching the intended executable.
The wsbackup service in Wondershare UBackit 2.0.5 contains such an unquoted path configuration. Since Windows services typically run with elevated privileges (often LocalSystem), any code executed through this vector would inherit those privileges, allowing complete system takeover.
Root Cause
The root cause is improper service registration where the executable path was not enclosed in quotation marks. When registering a Windows service with a path like C:\Program Files\Wondershare\UBackit\wsbackup.exe, the path must be quoted as "C:\Program Files\Wondershare\UBackit\wsbackup.exe". Without proper quoting, Windows interprets spaces as argument delimiters and attempts multiple path resolutions.
Attack Vector
The attack vector is local, requiring an attacker to have initial access to the target system with sufficient privileges to write files to certain directories. The exploitation process involves placing a malicious executable (such as Program.exe in C:\ or Wondershare.exe in C:\Program Files\) that Windows will execute before reaching the legitimate service binary. When the service is started (either manually, on system reboot, or through service recovery), the malicious payload executes with SYSTEM privileges.
For example, if the unquoted path is C:\Program Files\Wondershare\UBackit\wsbackup.exe, Windows will attempt to execute in order:
- C:\Program.exe
- C:\Program Files\Wondershare.exe
- C:\Program Files\Wondershare\UBackit.exe
- C:\Program Files\Wondershare\UBackit\wsbackup.exe
An attacker placing a malicious executable at any of the first three locations would achieve code execution with elevated privileges. Technical details and proof-of-concept information are available at the Exploit-DB #50758 entry.
Detection Methods for CVE-2022-50904
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Wondershare.exe, or UBackit.exe in C:\ or C:\Program Files\ directories
- Suspicious service startup events correlating with new process creation from unexpected paths
- Modification timestamps on system directories that deviate from normal installation patterns
- Windows Event Log entries showing service failures followed by unexpected executable launches
Detection Strategies
- Enumerate all Windows services and identify those with unquoted paths containing spaces using tools like wmic or PowerShell's Get-WmiObject
- Monitor file system activity in common exploitation paths (C:\, C:\Program Files\) for new executable creation
- Implement application whitelisting to prevent unauthorized executables from running in privileged contexts
- Use endpoint detection rules to alert on service-related privilege escalation patterns
Monitoring Recommendations
- Configure audit policies to log file creation events in root and Program Files directories
- Enable Windows Security Event logging for service installation and configuration changes (Event IDs 7045, 7040)
- Deploy behavioral analysis to detect anomalous process ancestry where services spawn unexpected child processes
- Regularly scan for unquoted service paths as part of vulnerability assessment routines
How to Mitigate CVE-2022-50904
Immediate Actions Required
- Verify if Wondershare UBackit 2.0.5 is installed on systems and identify the wsbackup service configuration
- Manually correct the service path by enclosing it in quotation marks using the Windows Registry or sc config command
- Restrict write permissions on directories that could be exploited (C:\, C:\Program Files\)
- Consider disabling or removing the vulnerable service until a vendor patch is available
Patch Information
Check the Wondershare Official Site for updated versions of UBackit that address this vulnerability. Review the VulnCheck Advisory for additional remediation guidance and patch status information.
Workarounds
- Manually fix the unquoted service path in the Windows Registry by adding quotation marks around the ImagePath value
- Implement file system access controls to prevent non-administrators from creating executables in exploitable paths
- Use Windows Defender Application Control (WDAC) or AppLocker to block unauthorized executable execution
- Monitor and restrict service account privileges where possible
# Configuration example
# Manually fix unquoted service path using sc command
sc config wsbackup binPath= "\"C:\Program Files\Wondershare\UBackit\wsbackup.exe\""
# Alternative: Fix via PowerShell by modifying registry
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wsbackup" -Name "ImagePath" -Value '"C:\Program Files\Wondershare\UBackit\wsbackup.exe"'
# Verify the fix was applied
sc qc wsbackup
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
