Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-50971

CVE-2022-50971: Malwarebytes Privilege Escalation Flaw

CVE-2022-50971 is an unquoted service path vulnerability in Malwarebytes 4.5 that enables local attackers to escalate privileges to LocalSystem. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2022-50971 Overview

CVE-2022-50971 is an unquoted service path vulnerability affecting Malwarebytes 4.5. The flaw resides in the MBAMService executable, which registers a Windows service using a file path that is not properly enclosed in quotation marks. A local attacker with limited privileges can place a malicious executable at a higher directory in the unquoted path. When the service starts or the system reboots, Windows executes the planted binary with LocalSystem privileges.

Critical Impact

Local privilege escalation to LocalSystem through a malicious executable placed in the unquoted service path of MBAMService.

Affected Products

  • Malwarebytes 4.5 (Windows)
  • MBAMService Windows service component
  • Endpoints running affected Malwarebytes builds with default installation paths

Discovery Timeline

  • 2026-06-19 - CVE-2022-50971 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2022-50971

Vulnerability Analysis

The vulnerability is classified under [CWE-428] Unquoted Search Path or Element. Windows parses unquoted service binary paths by splitting on whitespace and attempting to execute each candidate sequentially. When MBAMService is registered with a path such as C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe without enclosing quotes, the Service Control Manager attempts to load C:\Program.exe first, then C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe, before reaching the intended binary.

An attacker who can write to C:\ or another intermediate directory can plant a binary that intercepts service startup. Because services start under LocalSystem, the planted code executes with the highest local privileges, bypassing User Account Control and standard user restrictions.

Root Cause

The root cause is improper quoting of the service binary path in the Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath. Without surrounding quotes, the Service Control Manager treats spaces in Program Files as path delimiters during binary resolution.

Attack Vector

Exploitation requires local access and write permission to a directory along the unquoted path. The attacker drops a crafted executable named to match a path fragment, then waits for the service to restart or triggers a reboot. Public proof-of-concept material is documented in Exploit-DB #50806 and the VulnCheck Advisory on Malwarebytes. No remote attack vector exists.

Detection Methods for CVE-2022-50971

Indicators of Compromise

  • Unexpected executables at C:\Program.exe or other intermediate directories along the Malwarebytes install path
  • New service binary creation events targeting LocalSystem in MBAMService startup sequences
  • Modifications to HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath registry values

Detection Strategies

  • Audit the ImagePath values of installed Windows services and flag entries containing spaces without surrounding quotes
  • Monitor process creation events where services.exe spawns a binary from an unexpected location such as C:\Program.exe
  • Alert on file write operations to root drive letters by non-administrative users

Monitoring Recommendations

  • Enable Windows Security event logging for service installation and modification (Event IDs 7045, 4697)
  • Track Sysmon Event ID 1 process creation chains originating from services.exe
  • Review endpoint protection telemetry for binaries placed in root-level directories outside standard software installers

How to Mitigate CVE-2022-50971

Immediate Actions Required

  • Update Malwarebytes to a version that quotes the MBAMService binary path; consult the Malwarebytes Download Page for the latest installer
  • Audit Access Control Lists on C:\ and intermediate directories to deny write access for non-administrative accounts
  • Remove any suspicious executables found at root-level paths matching service path fragments

Patch Information

Apply the latest Malwarebytes release referenced on the Malwarebytes Homepage. Verify after upgrade that the registry value HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath is enclosed in double quotes.

Workarounds

  • Manually quote the affected service path by editing the registry value HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath to wrap the executable path in double quotes
  • Restrict write permissions on C:\ so that only administrators and SYSTEM can create files at the drive root
  • Enforce application allowlisting to block execution of unsigned binaries from unexpected locations
bash
# Verify and correct the service path quoting (run as Administrator)
sc.exe qc MBAMService
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MBAMService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe\"" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.