CVE-2022-50971 Overview
CVE-2022-50971 is an unquoted service path vulnerability affecting Malwarebytes 4.5. The flaw resides in the MBAMService executable, which registers a Windows service using a file path that is not properly enclosed in quotation marks. A local attacker with limited privileges can place a malicious executable at a higher directory in the unquoted path. When the service starts or the system reboots, Windows executes the planted binary with LocalSystem privileges.
Critical Impact
Local privilege escalation to LocalSystem through a malicious executable placed in the unquoted service path of MBAMService.
Affected Products
- Malwarebytes 4.5 (Windows)
- MBAMService Windows service component
- Endpoints running affected Malwarebytes builds with default installation paths
Discovery Timeline
- 2026-06-19 - CVE-2022-50971 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2022-50971
Vulnerability Analysis
The vulnerability is classified under [CWE-428] Unquoted Search Path or Element. Windows parses unquoted service binary paths by splitting on whitespace and attempting to execute each candidate sequentially. When MBAMService is registered with a path such as C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe without enclosing quotes, the Service Control Manager attempts to load C:\Program.exe first, then C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe, before reaching the intended binary.
An attacker who can write to C:\ or another intermediate directory can plant a binary that intercepts service startup. Because services start under LocalSystem, the planted code executes with the highest local privileges, bypassing User Account Control and standard user restrictions.
Root Cause
The root cause is improper quoting of the service binary path in the Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath. Without surrounding quotes, the Service Control Manager treats spaces in Program Files as path delimiters during binary resolution.
Attack Vector
Exploitation requires local access and write permission to a directory along the unquoted path. The attacker drops a crafted executable named to match a path fragment, then waits for the service to restart or triggers a reboot. Public proof-of-concept material is documented in Exploit-DB #50806 and the VulnCheck Advisory on Malwarebytes. No remote attack vector exists.
Detection Methods for CVE-2022-50971
Indicators of Compromise
- Unexpected executables at C:\Program.exe or other intermediate directories along the Malwarebytes install path
- New service binary creation events targeting LocalSystem in MBAMService startup sequences
- Modifications to HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath registry values
Detection Strategies
- Audit the ImagePath values of installed Windows services and flag entries containing spaces without surrounding quotes
- Monitor process creation events where services.exe spawns a binary from an unexpected location such as C:\Program.exe
- Alert on file write operations to root drive letters by non-administrative users
Monitoring Recommendations
- Enable Windows Security event logging for service installation and modification (Event IDs 7045, 4697)
- Track Sysmon Event ID 1 process creation chains originating from services.exe
- Review endpoint protection telemetry for binaries placed in root-level directories outside standard software installers
How to Mitigate CVE-2022-50971
Immediate Actions Required
- Update Malwarebytes to a version that quotes the MBAMService binary path; consult the Malwarebytes Download Page for the latest installer
- Audit Access Control Lists on C:\ and intermediate directories to deny write access for non-administrative accounts
- Remove any suspicious executables found at root-level paths matching service path fragments
Patch Information
Apply the latest Malwarebytes release referenced on the Malwarebytes Homepage. Verify after upgrade that the registry value HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath is enclosed in double quotes.
Workarounds
- Manually quote the affected service path by editing the registry value HKLM\SYSTEM\CurrentControlSet\Services\MBAMService\ImagePath to wrap the executable path in double quotes
- Restrict write permissions on C:\ so that only administrators and SYSTEM can create files at the drive root
- Enforce application allowlisting to block execution of unsigned binaries from unexpected locations
# Verify and correct the service path quoting (run as Administrator)
sc.exe qc MBAMService
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MBAMService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

