CVE-2022-50930 Overview
Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.
Critical Impact
Local privilege escalation vulnerability enables attackers to execute arbitrary code with SYSTEM-level privileges through unquoted service path exploitation in TrapiServer service.
Affected Products
- Emerson PAC Machine Edition 9.80
- TrapiServer service component
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50930 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50930
Vulnerability Analysis
This vulnerability (CWE-428) represents an unquoted service path issue affecting the TrapiServer service in Emerson PAC Machine Edition 9.80. When Windows services are installed with executable paths that contain spaces and are not properly enclosed in quotation marks, the operating system attempts to locate the executable using a specific search pattern that can be exploited by attackers.
The TrapiServer service runs with LocalSystem privileges, which is the highest privilege level on Windows systems. When the service starts, Windows parses the unquoted path and attempts to find executables at various truncated path locations. An attacker with local access who can write to directories earlier in the path search order can place a malicious executable that gets executed instead of the legitimate service binary.
Root Cause
The root cause is the improper installation configuration of the TrapiServer service, where the service executable path containing spaces was registered in the Windows Service Control Manager without enclosing quotation marks. This violates secure service installation practices and creates an exploitable condition for local privilege escalation.
Attack Vector
The attack requires local access to the target system. An attacker must have write permissions to a directory that appears in the truncated path search order before the actual service executable location. When the TrapiServer service is started or restarted (including during system boot), Windows will execute the attacker's malicious binary with LocalSystem privileges instead of the legitimate service executable.
For example, if the service path is C:\Program Files\Emerson\PAC Machine Edition\TrapiServer.exe, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files\Emerson\PAC.exe
- C:\Program Files\Emerson\PAC Machine.exe
If an attacker places a malicious Program.exe in C:\ or another accessible location in the path chain, it will execute with SYSTEM privileges.
Detection Methods for CVE-2022-50930
Indicators of Compromise
- Unexpected executable files named Program.exe, PAC.exe, or similar in root directories or intermediate path locations
- New processes spawning with SYSTEM privileges from unusual file system locations
- Modifications to directories in the TrapiServer service path hierarchy
- Suspicious service restart activity correlated with unauthorized code execution
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -like '* *' -and $_.PathName -notlike '"*"' }
- Monitor file creation events in directories along the service path, particularly C:\, C:\Program Files\, and related locations
- Implement endpoint detection rules for new executables with names matching path truncation patterns
- SentinelOne Singularity XDR provides automated detection of privilege escalation attempts through behavioral analysis of service-related process creation
Monitoring Recommendations
- Enable enhanced auditing for file system changes in directories that could be exploited for path hijacking
- Configure alerting for service configuration changes on systems running Emerson PAC Machine Edition
- Monitor for process execution chains where SYSTEM-privileged processes originate from unexpected paths
- Leverage SentinelOne's Storyline technology to correlate service startup events with suspicious binary execution
How to Mitigate CVE-2022-50930
Immediate Actions Required
- Audit the TrapiServer service configuration using sc qc TrapiServer and verify the ImagePath value
- If the path is unquoted and contains spaces, manually correct the registry entry to include quotation marks
- Restrict write permissions on directories in the service path hierarchy to prevent exploitation
- Review other installed services on affected systems for similar unquoted path vulnerabilities
Patch Information
Consult the VulnCheck Advisory on Emerson PAC for the latest remediation guidance. Contact Emerson support through their official website for information on updated installers that properly quote service paths. Additional technical details are available via the Exploit-DB #50745 entry.
Workarounds
- Manually correct the service path by adding quotation marks around the full executable path in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\TrapiServer
- Implement application whitelisting to prevent execution of unauthorized binaries from exploitable path locations
- Remove write permissions for non-administrative users from directories that could be used for path hijacking
- Consider running the affected service with a lower-privileged service account if system functionality permits
# Configuration example - Correcting the unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TrapiServer" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Emerson\PAC Machine Edition\TrapiServer.exe\"" /f
# Verify the correction
reg query "HKLM\SYSTEM\CurrentControlSet\Services\TrapiServer" /v ImagePath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
