Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-50920

CVE-2022-50920: Sandboxie-Plus Privilege Escalation Flaw

CVE-2022-50920 is an unquoted service path vulnerability in Sandboxie-Plus 5.50.2 that enables local attackers to execute code with LocalSystem privileges. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2022-50920 Overview

CVE-2022-50920 is an unquoted service path vulnerability affecting Sandboxie-Plus version 5.50.2. The vulnerability exists in the SbieSvc Windows service, which is configured with an unquoted binary path. This configuration flaw allows local attackers to potentially execute arbitrary code by placing a malicious executable in a path that Windows will interpret before the legitimate service binary.

When Windows starts a service with an unquoted path containing spaces, it attempts to locate the executable by parsing the path at each space character. Attackers can exploit this behavior by placing a malicious executable at one of these intermediate locations, causing the system to execute the attacker's code with LocalSystem privileges during service startup.

Critical Impact

Local attackers can achieve privilege escalation to LocalSystem by exploiting the unquoted service path in the SbieSvc Windows service, potentially leading to complete system compromise.

Affected Products

  • Sandboxie-Plus version 5.50.2
  • SbieSvc Windows Service component
  • Windows installations with Sandboxie-Plus 5.50.2 installed

Discovery Timeline

  • 2026-01-13 - CVE-2022-50920 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50920

Vulnerability Analysis

This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). The SbieSvc Windows service in Sandboxie-Plus 5.50.2 is registered with a binary path that is not enclosed in quotation marks. When the service path contains spaces and is not properly quoted, Windows parses the path incrementally at each space character to locate the executable.

For example, if the service path is C:\Program Files\Sandboxie-Plus\SbieSvc.exe, Windows will attempt to execute in the following order:

  1. C:\Program.exe
  2. C:\Program Files\Sandboxie-Plus\SbieSvc.exe

An attacker with write access to C:\ could place a malicious Program.exe that would be executed with LocalSystem privileges when the service starts.

Root Cause

The root cause of this vulnerability is improper service registration during the installation of Sandboxie-Plus 5.50.2. The service binary path was registered in the Windows Service Control Manager without enclosing quotation marks. This is a common configuration oversight that occurs when developers or installers fail to properly quote paths containing spaces. The Windows service registration should use the format "C:\Program Files\Sandboxie-Plus\SbieSvc.exe" with surrounding quotes to prevent path ambiguity.

Attack Vector

The attack requires local access to the vulnerable system with sufficient permissions to write files to directories in the unquoted path (such as C:\). An attacker would follow these steps:

  1. Identify the unquoted service path for SbieSvc by querying the Windows registry or using sc qc SbieSvc
  2. Create a malicious executable named to match an intermediate path component (e.g., Program.exe)
  3. Place the malicious executable in the target directory (e.g., C:\Program.exe)
  4. Wait for the service to restart (during system reboot or manual restart)
  5. The malicious code executes with LocalSystem privileges

The exploitation technique is documented in the Exploit-DB #50819 advisory. Additional technical details are available in the VulnCheck Sandboxie Plus Advisory.

Detection Methods for CVE-2022-50920

Indicators of Compromise

  • Presence of unexpected executables in C:\ such as Program.exe or similar
  • Unauthorized files in directories along the Sandboxie-Plus installation path
  • Unusual processes running with LocalSystem privileges during service startup
  • Windows Event Log entries showing service execution from unexpected paths

Detection Strategies

  • Query all Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }
  • Monitor file creation events in root directories and common intermediate paths
  • Implement application whitelisting to prevent unauthorized executable execution
  • Use SentinelOne's behavioral AI to detect anomalous process execution patterns during service startup

Monitoring Recommendations

  • Enable Windows Security Event logging for service creation and modification (Event IDs 7045, 4697)
  • Configure file integrity monitoring on directories commonly targeted by unquoted path attacks
  • Monitor process creation events for services spawning from unexpected locations
  • Deploy SentinelOne Singularity Platform for real-time detection of privilege escalation attempts

How to Mitigate CVE-2022-50920

Immediate Actions Required

  • Audit the SbieSvc service configuration using sc qc SbieSvc to confirm vulnerability status
  • Manually correct the service path by adding quotation marks around the binary path
  • Remove any suspicious executables from directories along the service path
  • Restrict write permissions on root directories and intermediate installation paths
  • Update Sandboxie-Plus to the latest version from the official Sandboxie-Plus website

Patch Information

Users should update to a patched version of Sandboxie-Plus that properly quotes the service binary path. Visit the Sandboxie Plus Official Page to download the latest version. After updating, verify that the service path is properly quoted by running sc qc SbieSvc and confirming the path is enclosed in quotation marks.

Workarounds

  • Manually fix the registry entry by modifying HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc\ImagePath to include quotation marks
  • Restrict write access to C:\ and intermediate directories to prevent malicious executable placement
  • Implement application control policies to only allow approved executables to run
  • Use SentinelOne's Singularity platform to detect and block unauthorized code execution attempts
bash
# Configuration example
# Fix unquoted service path via registry modification
# Run as Administrator in Command Prompt

# Query current service configuration
sc qc SbieSvc

# Correct the unquoted path by modifying the registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Sandboxie-Plus\SbieSvc.exe\"" /f

# Verify the fix
sc qc SbieSvc

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.