CVE-2022-50921 Overview
CVE-2022-50921 is an unquoted service path vulnerability affecting WOW21 version 5.0.1.9. This security flaw allows local attackers to potentially execute arbitrary code with elevated system privileges. The vulnerability exists because the service binary path is not properly enclosed in quotation marks, enabling attackers to inject malicious executables that will be launched with LocalSystem permissions during service startup.
Critical Impact
Local privilege escalation to SYSTEM-level access through malicious executable injection in unquoted service path
Affected Products
- WOW21 5.0.1.9
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50921 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50921
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). When Windows services are configured with paths containing spaces that are not enclosed in quotation marks, the operating system's path parsing behavior can be exploited. Windows attempts to locate and execute binaries by iterating through different interpretations of the path, checking each space-separated segment as a potential executable name.
In the case of WOW21, the service executable path is stored in the Windows Registry without proper quoting. When the service starts, Windows follows its standard path resolution algorithm, attempting to find an executable at each potential breakpoint in the path. An attacker with write access to directories earlier in the path hierarchy can plant a malicious executable that will be executed instead of the legitimate service binary.
The exploitation requires local access to the system and write permissions to a directory within the unquoted path. Once a malicious executable is placed in the appropriate location, it will be executed with the same privileges as the service—typically LocalSystem—providing the attacker with complete control over the affected system.
Root Cause
The root cause of this vulnerability is improper handling of the service binary path during WOW21 installation. The installer fails to enclose the executable path in quotation marks when registering the Windows service. This configuration oversight allows the Windows Service Control Manager to misinterpret path segments containing spaces, potentially executing attacker-controlled binaries placed in intermediate directories.
Attack Vector
The attack vector is local, requiring an authenticated user to have write access to a directory within the unquoted service path. The attack proceeds as follows:
- The attacker identifies the unquoted service path in the Windows Registry
- The attacker determines which directories in the path allow write access
- A malicious executable is placed at a location that Windows will check before reaching the legitimate binary
- When the service restarts (either manually, through system reboot, or service crash recovery), the malicious executable runs with LocalSystem privileges
For detailed exploitation techniques and proof-of-concept code, see the Exploit-DB #50818 entry.
Detection Methods for CVE-2022-50921
Indicators of Compromise
- Unexpected executable files appearing in directories within the WOW21 installation path hierarchy
- New executables with generic names (e.g., Program.exe, WOW.exe) in C:\ or C:\Program Files\ root directories
- Service crash events followed by suspicious process execution under SYSTEM context
- Registry modifications to the WOW21 service ImagePath value
Detection Strategies
- Implement file integrity monitoring on directories within the WOW21 service path
- Monitor Windows Event logs for Service Control Manager events (Event ID 7000, 7009, 7034) related to the WOW21 service
- Use PowerShell or WMI queries to periodically audit services with unquoted paths: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Deploy endpoint detection rules to alert on executable creation in root directories and Program Files paths
Monitoring Recommendations
- Enable audit logging for file creation events in sensitive directories along the service path
- Configure SentinelOne Deep Visibility to track process creation chains originating from service binaries
- Monitor for processes spawned by services.exe that do not match expected executable hashes
How to Mitigate CVE-2022-50921
Immediate Actions Required
- Audit the WOW21 service registry entry and manually quote the binary path
- Review file system permissions on directories within the service path to restrict write access
- Monitor for any suspicious executables that may have already been placed in exploitable locations
- Consider restricting service account permissions using the principle of least privilege
Patch Information
Consult the VulnCheck Security Advisory for the latest remediation guidance. The vendor website may be accessed via the Web Archive Snapshot for additional information regarding updates or patches.
Workarounds
- Manually correct the service path by adding quotation marks around the executable path in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\WowService
- Remove write permissions for non-administrative users on all directories in the unquoted path
- Implement application whitelisting to prevent unauthorized executable execution
- Deploy SentinelOne's behavioral AI to detect and block suspicious privilege escalation attempts
# Registry fix example - Run as Administrator
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WowService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\WOW21\WowService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
