CVE-2022-50938 Overview
CVE-2022-50938 is an unquoted service path vulnerability affecting CONTPAQi AdminPAQ 14.0.0. The AppKeyLicenseServer service runs with LocalSystem privileges and contains an unquoted service path, allowing attackers with local access to inject malicious executables that will be executed with elevated SYSTEM privileges during service startup. This vulnerability class (CWE-428) enables local privilege escalation by exploiting how Windows resolves unquoted paths containing spaces.
Critical Impact
Local attackers can achieve SYSTEM-level code execution by placing a malicious executable in a location that Windows will resolve before the legitimate service binary, enabling complete system compromise.
Affected Products
- CONTPAQi AdminPAQ 14.0.0
- AppKeyLicenseServer service component
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50938 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50938
Vulnerability Analysis
The vulnerability exists in the AppKeyLicenseServer service configuration within CONTPAQi AdminPAQ 14.0.0. When the service binary path contains spaces and is not properly enclosed in quotation marks, Windows follows a specific search order to locate the executable. An attacker can exploit this behavior by placing a malicious executable at one of the searched locations that Windows checks before reaching the intended service binary.
The service runs under the LocalSystem account, which has the highest privilege level on a Windows system. When the malicious executable is loaded instead of the legitimate service binary, it inherits these elevated privileges. This enables attackers to execute arbitrary code with full system access, facilitating persistence mechanisms, credential theft, lateral movement, or complete system compromise.
This local attack vector requires the attacker to have write access to one of the path locations that Windows searches before the legitimate binary path. Common exploitation scenarios include placing malicious binaries in locations like C:\Program.exe or within subdirectories of the unquoted path that precede the actual executable location.
Root Cause
The root cause is the absence of quotation marks around the service binary path in the Windows service configuration. When registering the AppKeyLicenseServer service, the installer failed to enclose the ImagePath registry value in quotes. Windows interprets spaces in unquoted paths as argument delimiters, causing it to sequentially attempt to execute binaries at each space-delimited segment until it finds a valid executable.
Attack Vector
This is a local attack vector requiring the attacker to have prior access to the system with sufficient privileges to write files to one of the path locations Windows searches. The attack proceeds as follows:
- The attacker identifies the unquoted service path using tools like wmic or by querying the registry
- The attacker places a malicious executable at a location Windows will check before the legitimate binary
- The malicious binary executes with LocalSystem privileges when the service starts or restarts
The vulnerability can be identified by querying unquoted service paths on the system. For technical exploitation details and proof-of-concept code, refer to Exploit-DB #50690.
Detection Methods for CVE-2022-50938
Indicators of Compromise
- Unexpected executables appearing in root directories or program paths (e.g., C:\Program.exe, C:\Program Files\CONTPAQi\AppKey.exe)
- Service startup failures or unexpected behavior from the AppKeyLicenseServer service
- Unusual processes spawning with SYSTEM privileges during service start operations
Detection Strategies
- Audit Windows services for unquoted paths using PowerShell or WMIC queries to identify vulnerable configurations
- Monitor file creation events in directories along the service binary path using endpoint detection solutions
- Implement SentinelOne's behavioral AI to detect privilege escalation attempts and anomalous SYSTEM-level process execution
Monitoring Recommendations
- Enable Windows Security Event logging for service control manager events (Event ID 7045 for new service installations)
- Configure SentinelOne Singularity to alert on suspicious executable placement in common unquoted path exploitation locations
- Monitor for process execution chains where non-standard binaries spawn with LocalSystem privileges
How to Mitigate CVE-2022-50938
Immediate Actions Required
- Audit all services on affected systems to identify unquoted service paths using wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
- Restrict write permissions on directories within service binary paths to prevent unauthorized executable placement
- Update CONTPAQi AdminPAQ to the latest version if a patch is available from the CONTPAQi Downloads page
Patch Information
Organizations should check CONTPAQi's official downloads page for updated versions of AdminPAQ that address this vulnerability. The VulnCheck Security Advisory provides additional remediation guidance.
Workarounds
- Manually fix the service path by adding quotes around the ImagePath registry value at HKLM\SYSTEM\CurrentControlSet\Services\AppKeyLicenseServer
- Restrict NTFS permissions on the installation directory and parent paths to prevent unprivileged users from writing executables
- Consider disabling the affected service if not required for business operations until a vendor patch is available
# PowerShell command to fix unquoted service path (run as Administrator)
# First, verify the current service path:
# Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\AppKeyLicenseServer" -Name ImagePath
# Apply quoted path fix (adjust path to match your installation):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\AppKeyLicenseServer" -Name ImagePath -Value '"C:\Program Files\CONTPAQi\AdminPAQ\AppKeyLicenseServer.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
