CVE-2022-50935: Flame II HSPA USB Modem RCE Vulnerability

CVE-2022-50935 Overview

CVE-2022-50935 is an unquoted service path vulnerability affecting the Flame II HSPA USB Modem Windows service configuration. The vulnerability exists in the service executable path C:\Program Files (x86)\Internet Telcel\ApplicationController.exe, which is not properly enclosed in quotation marks. This allows attackers with local access to exploit Windows service path resolution behavior to execute arbitrary code with elevated system privileges.

Unquoted service path vulnerabilities (CWE-428) are a class of privilege escalation flaws that exploit how Windows resolves executable paths containing spaces. When a service path is unquoted and contains spaces, Windows attempts to locate the executable by testing multiple path combinations, potentially allowing an attacker to plant a malicious executable that gets executed with the service's privileges.

Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level access by exploiting the unquoted service path, enabling complete system compromise on affected hosts.

Affected Products

Flame II HSPA USB Modem
Internet Telcel ApplicationController service
Alcatel X602A Modem devices

Discovery Timeline

2026-01-13 - CVE CVE-2022-50935 published to NVD
2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50935

Vulnerability Analysis

This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a configuration flaw in how the Windows service is registered. The Flame II HSPA USB Modem software installs a Windows service with an executable path containing spaces that is not properly quoted in the service registry configuration.

When Windows attempts to start a service with an unquoted path like C:\Program Files (x86)\Internet Telcel\ApplicationController.exe, the Service Control Manager (SCM) processes the path from left to right, attempting to execute at each space boundary. This creates a predictable sequence of execution attempts that an attacker can exploit.

The attack requires local access to the system and write permissions to one of the intermediate directories along the path. Once a malicious executable is placed in the correct location, it will be executed with the same privileges as the vulnerable service—typically SYSTEM-level privileges for Windows services.

Root Cause

The root cause is improper quoting of the service ImagePath registry value during installation. When the Flame II HSPA USB Modem software installs its ApplicationController.exe service, it fails to enclose the full path in quotation marks. The correct configuration should specify the path as "C:\Program Files (x86)\Internet Telcel\ApplicationController.exe" to prevent Windows from misinterpreting the spaces in the path.

Attack Vector

The attack vector is local, requiring an attacker to have authenticated access to the target system. The exploitation technique involves:

Identifying the vulnerable unquoted service path in the Windows registry
Determining which intermediate path locations are writable by the attacker
Creating a malicious executable named to match one of the path segments Windows will attempt to execute
Waiting for or triggering a service restart to execute the planted malicious code

For the path C:\Program Files (x86)\Internet Telcel\ApplicationController.exe, Windows will attempt to execute in this order:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Internet.exe
C:\Program Files (x86)\Internet Telcel\ApplicationController.exe

If an attacker can write to C:\ or C:\Program Files (x86)\, they can plant Program.exe or Internet.exe respectively to achieve code execution with elevated privileges.

Detection Methods for CVE-2022-50935

Indicators of Compromise

Presence of unexpected executables named Program.exe, Internet.exe, or similar at path segment boundaries
Unusual process creation from Windows service accounts with suspicious parent-child relationships
Modifications to directories along the service path, particularly C:\Program Files (x86)\
Service crashes or unexpected restarts of the Internet Telcel ApplicationController service

Detection Strategies

Audit Windows services for unquoted paths using PowerShell queries against the registry: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
Monitor for file creation events in C:\, C:\Program Files\, and C:\Program Files (x86)\ directories that create executables with names matching path segments
Implement application whitelisting to prevent execution of unauthorized executables in sensitive directories
Deploy endpoint detection rules to identify service path exploitation patterns

Monitoring Recommendations

Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing
Configure file integrity monitoring on system directories to detect planted executables
Monitor service registry keys (HKLM\SYSTEM\CurrentControlSet\Services) for suspicious modifications
Review service account process trees for anomalous child process spawning

How to Mitigate CVE-2022-50935

Immediate Actions Required

Audit all Windows services for unquoted paths containing spaces and remediate by adding proper quotation marks
Verify directory permissions along the service path to restrict write access to administrators only
Consider temporarily disabling the Internet Telcel ApplicationController service if not required
Deploy endpoint protection rules to detect exploitation attempts

Patch Information

No vendor patch information is currently available for this vulnerability. Organizations using the affected Flame II HSPA USB Modem should contact the vendor for remediation guidance or consider replacing the device with a supported alternative. Technical details are available via the Exploit-DB #50708 entry and the VulnCheck Flame II Advisory.

Workarounds

Manually correct the service path in the Windows registry by enclosing it in quotation marks
Restrict write permissions on C:\ and C:\Program Files (x86)\ to prevent executable planting
Implement application control policies that prevent execution of unauthorized executables
Remove or disable the vulnerable service if modem functionality is not required

bash

# Registry fix to quote the service path (run as Administrator)
# First, query the current service path:
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ApplicationController" /v ImagePath

# Then update to properly quoted path:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\ApplicationController" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Internet Telcel\ApplicationController.exe\"" /f

CVE-2022-50935 Overview

Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level access by exploiting the unquoted service path, enabling complete system compromise on affected hosts.

Affected Products

Flame II HSPA USB Modem
Internet Telcel ApplicationController service
Alcatel X602A Modem devices

Discovery Timeline

2026-01-13 - CVE CVE-2022-50935 published to NVD
2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50935

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is local, requiring an attacker to have authenticated access to the target system. The exploitation technique involves:

Identifying the vulnerable unquoted service path in the Windows registry
Determining which intermediate path locations are writable by the attacker
Creating a malicious executable named to match one of the path segments Windows will attempt to execute
Waiting for or triggering a service restart to execute the planted malicious code

For the path C:\Program Files (x86)\Internet Telcel\ApplicationController.exe, Windows will attempt to execute in this order:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Internet.exe
C:\Program Files (x86)\Internet Telcel\ApplicationController.exe

If an attacker can write to C:\ or C:\Program Files (x86)\, they can plant Program.exe or Internet.exe respectively to achieve code execution with elevated privileges.

Detection Methods for CVE-2022-50935

Indicators of Compromise

Presence of unexpected executables named Program.exe, Internet.exe, or similar at path segment boundaries
Unusual process creation from Windows service accounts with suspicious parent-child relationships
Modifications to directories along the service path, particularly C:\Program Files (x86)\
Service crashes or unexpected restarts of the Internet Telcel ApplicationController service

Detection Strategies

Audit Windows services for unquoted paths using PowerShell queries against the registry: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
Monitor for file creation events in C:\, C:\Program Files\, and C:\Program Files (x86)\ directories that create executables with names matching path segments
Implement application whitelisting to prevent execution of unauthorized executables in sensitive directories
Deploy endpoint detection rules to identify service path exploitation patterns

Monitoring Recommendations

Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing
Configure file integrity monitoring on system directories to detect planted executables
Monitor service registry keys (HKLM\SYSTEM\CurrentControlSet\Services) for suspicious modifications
Review service account process trees for anomalous child process spawning

How to Mitigate CVE-2022-50935

Immediate Actions Required

Audit all Windows services for unquoted paths containing spaces and remediate by adding proper quotation marks
Verify directory permissions along the service path to restrict write access to administrators only
Consider temporarily disabling the Internet Telcel ApplicationController service if not required
Deploy endpoint protection rules to detect exploitation attempts

Patch Information

Workarounds

Manually correct the service path in the Windows registry by enclosing it in quotation marks
Restrict write permissions on C:\ and C:\Program Files (x86)\ to prevent executable planting
Implement application control policies that prevent execution of unauthorized executables
Remove or disable the vulnerable service if modem functionality is not required

bash

# Registry fix to quote the service path (run as Administrator)
# First, query the current service path:
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ApplicationController" /v ImagePath

# Then update to properly quoted path:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\ApplicationController" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Internet Telcel\ApplicationController.exe\"" /f

CVE-2022-50935: Flame II HSPA USB Modem RCE Vulnerability

CVE-2022-50935 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-50935

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-50935

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-50935

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-50935: Flame II HSPA USB Modem RCE Vulnerability

CVE-2022-50935 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-50935

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-50935

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-50935

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform