CVE-2022-50920 Overview
CVE-2022-50920 is an unquoted service path vulnerability affecting Sandboxie-Plus version 5.50.2. The vulnerability exists in the SbieSvc Windows service, which is configured with an unquoted binary path. This configuration flaw allows local attackers to potentially execute arbitrary code by placing a malicious executable in a path that Windows will interpret before the legitimate service binary.
When Windows starts a service with an unquoted path containing spaces, it attempts to locate the executable by parsing the path at each space character. Attackers can exploit this behavior by placing a malicious executable at one of these intermediate locations, causing the system to execute the attacker's code with LocalSystem privileges during service startup.
Critical Impact
Local attackers can achieve privilege escalation to LocalSystem by exploiting the unquoted service path in the SbieSvc Windows service, potentially leading to complete system compromise.
Affected Products
- Sandboxie-Plus version 5.50.2
- SbieSvc Windows Service component
- Windows installations with Sandboxie-Plus 5.50.2 installed
Discovery Timeline
- 2026-01-13 - CVE-2022-50920 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50920
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). The SbieSvc Windows service in Sandboxie-Plus 5.50.2 is registered with a binary path that is not enclosed in quotation marks. When the service path contains spaces and is not properly quoted, Windows parses the path incrementally at each space character to locate the executable.
For example, if the service path is C:\Program Files\Sandboxie-Plus\SbieSvc.exe, Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files\Sandboxie-Plus\SbieSvc.exe
An attacker with write access to C:\ could place a malicious Program.exe that would be executed with LocalSystem privileges when the service starts.
Root Cause
The root cause of this vulnerability is improper service registration during the installation of Sandboxie-Plus 5.50.2. The service binary path was registered in the Windows Service Control Manager without enclosing quotation marks. This is a common configuration oversight that occurs when developers or installers fail to properly quote paths containing spaces. The Windows service registration should use the format "C:\Program Files\Sandboxie-Plus\SbieSvc.exe" with surrounding quotes to prevent path ambiguity.
Attack Vector
The attack requires local access to the vulnerable system with sufficient permissions to write files to directories in the unquoted path (such as C:\). An attacker would follow these steps:
- Identify the unquoted service path for SbieSvc by querying the Windows registry or using sc qc SbieSvc
- Create a malicious executable named to match an intermediate path component (e.g., Program.exe)
- Place the malicious executable in the target directory (e.g., C:\Program.exe)
- Wait for the service to restart (during system reboot or manual restart)
- The malicious code executes with LocalSystem privileges
The exploitation technique is documented in the Exploit-DB #50819 advisory. Additional technical details are available in the VulnCheck Sandboxie Plus Advisory.
Detection Methods for CVE-2022-50920
Indicators of Compromise
- Presence of unexpected executables in C:\ such as Program.exe or similar
- Unauthorized files in directories along the Sandboxie-Plus installation path
- Unusual processes running with LocalSystem privileges during service startup
- Windows Event Log entries showing service execution from unexpected paths
Detection Strategies
- Query all Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }
- Monitor file creation events in root directories and common intermediate paths
- Implement application whitelisting to prevent unauthorized executable execution
- Use SentinelOne's behavioral AI to detect anomalous process execution patterns during service startup
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification (Event IDs 7045, 4697)
- Configure file integrity monitoring on directories commonly targeted by unquoted path attacks
- Monitor process creation events for services spawning from unexpected locations
- Deploy SentinelOne Singularity Platform for real-time detection of privilege escalation attempts
How to Mitigate CVE-2022-50920
Immediate Actions Required
- Audit the SbieSvc service configuration using sc qc SbieSvc to confirm vulnerability status
- Manually correct the service path by adding quotation marks around the binary path
- Remove any suspicious executables from directories along the service path
- Restrict write permissions on root directories and intermediate installation paths
- Update Sandboxie-Plus to the latest version from the official Sandboxie-Plus website
Patch Information
Users should update to a patched version of Sandboxie-Plus that properly quotes the service binary path. Visit the Sandboxie Plus Official Page to download the latest version. After updating, verify that the service path is properly quoted by running sc qc SbieSvc and confirming the path is enclosed in quotation marks.
Workarounds
- Manually fix the registry entry by modifying HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc\ImagePath to include quotation marks
- Restrict write access to C:\ and intermediate directories to prevent malicious executable placement
- Implement application control policies to only allow approved executables to run
- Use SentinelOne's Singularity platform to detect and block unauthorized code execution attempts
# Configuration example
# Fix unquoted service path via registry modification
# Run as Administrator in Command Prompt
# Query current service configuration
sc qc SbieSvc
# Correct the unquoted path by modifying the registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Sandboxie-Plus\SbieSvc.exe\"" /f
# Verify the fix
sc qc SbieSvc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
