CVE-2022-50915 Overview
PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe to inject malicious executables and gain system-level access.
Critical Impact
Local attackers with low privileges can exploit this unquoted service path to achieve privilege escalation and execute arbitrary code with SYSTEM-level permissions.
Affected Products
- PTPublisher 2.3.4
- Primera Technology PTPublisher with PTProtect service
- Systems running UsbFlashDongleService.exe
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50915 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50915
Vulnerability Analysis
This vulnerability is classified as CWE-428: Unquoted Search Path or Element. The PTProtect service in PTPublisher 2.3.4 is configured with an unquoted service path, which creates a security weakness that local attackers can exploit. When Windows attempts to start a service with an unquoted path containing spaces, it will attempt to execute binaries at each space boundary in the path before finding the intended executable.
The vulnerable service path C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe contains multiple spaces, creating several exploitation opportunities. The local attack vector means an attacker must already have some level of access to the target system, but the low privilege requirement makes this accessible to standard user accounts.
Root Cause
The root cause is the improper configuration of the Windows service path without enclosing quotes. When registering the PTProtect service, the installer failed to wrap the executable path in quotation marks. This oversight allows the Windows Service Control Manager to misinterpret the path during service startup, as it parses the path at each space character looking for an executable.
Attack Vector
An attacker with local access and write permissions to C:\Program Files (x86)\Primera Technology\ or any parent directory can place a malicious executable at one of the following locations to hijack service execution:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\Primera.exe
- C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe
When the PTProtect service starts or restarts, Windows will execute the attacker's malicious binary with SYSTEM privileges before reaching the legitimate service executable. This allows the attacker to escalate from a low-privileged local user to full system access.
For technical details regarding exploitation, refer to the Exploit-DB #50885 documentation and the VulnCheck Advisory.
Detection Methods for CVE-2022-50915
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Program Files.exe, or Primera.exe in root directories or along the service path
- Unauthorized modifications to directories along the PTPublisher installation path
- Unexpected child processes spawned by the PTProtect service or UsbFlashDongleService.exe
- Suspicious service restart events for PTProtect in Windows Event logs
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in C:\, C:\Program Files (x86)\, and C:\Program Files (x86)\Primera Technology\ directories
- Implement application whitelisting to prevent execution of unauthorized binaries in sensitive paths
- Configure SentinelOne to detect and alert on suspicious executable placements in Windows system directories
Monitoring Recommendations
- Enable Windows Security Event logging for service installation and modification events (Event ID 7045, 7040)
- Configure file integrity monitoring for directories along the PTPublisher service path
- Monitor for privilege escalation patterns where low-privileged users suddenly gain SYSTEM-level access
- Review service configurations regularly for unquoted paths using automated scanning tools
How to Mitigate CVE-2022-50915
Immediate Actions Required
- Audit all systems running PTPublisher 2.3.4 for the vulnerable unquoted service path configuration
- Manually correct the service path by adding quotation marks around the executable path in the Windows Registry
- Remove any unauthorized executables found in directories along the service path
- Restrict write permissions on directories within the service path hierarchy to administrators only
Patch Information
Check the Primera Website for updated versions of PTPublisher that address this vulnerability. Review the VulnCheck Advisory for the latest remediation guidance and any available patches from the vendor.
Workarounds
- Manually fix the unquoted service path by modifying the Windows Registry to enclose the path in quotation marks
- Implement strict access controls on all directories in the vulnerable path to prevent unauthorized file writes
- Consider disabling the PTProtect service if it is not essential to operations until a patch is available
- Deploy application control policies to block execution of unsigned binaries in affected directories
# Registry fix to correct the unquoted service path
# Run in an elevated command prompt
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PTProtect" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
