CVE-2024-47856 Overview
CVE-2024-47856 is a path interception vulnerability affecting RSA Authentication Agent for Microsoft Windows prior to version 7.4.7. The vulnerability exists because service paths and shortcut paths containing spaces are not properly enclosed in quotation marks, allowing an adversary to place a malicious executable in a higher-level directory. When Windows attempts to resolve the executable path, it will find and execute the attacker's payload instead of the legitimate RSA Authentication Agent binary.
Critical Impact
This vulnerability enables local privilege escalation through path interception, potentially allowing attackers to execute arbitrary code with SYSTEM privileges when the RSA Authentication Agent service starts or restarts.
Affected Products
- RSA Authentication Agent for Microsoft Windows versions prior to 7.4.7
Discovery Timeline
- 2025-11-24 - CVE-2024-47856 published to NVD
- 2025-12-30 - Last updated in NVD database
Technical Details for CVE-2024-47856
Vulnerability Analysis
This vulnerability is classified under CWE-23 (Relative Path Traversal) and stems from improper handling of file system paths within the RSA Authentication Agent for Windows. When a Windows service is configured with an executable path containing spaces without proper quotation marks, the operating system's path resolution mechanism becomes exploitable. For example, a path like C:\Program Files\RSA\Agent\service.exe would be interpreted by Windows as potentially looking for executables in multiple locations: C:\Program.exe, C:\Program Files\RSA\Agent\service.exe, etc.
The attack does not require authentication or user interaction, making it accessible to any adversary with local file system write access to directories higher in the path hierarchy. Upon successful exploitation, the attacker-supplied executable would run with the privileges of the RSA Authentication Agent service, which typically operates at elevated or SYSTEM-level permissions.
Root Cause
The root cause lies in the installation or configuration process of RSA Authentication Agent for Windows, which fails to enclose service executable paths and shortcut targets in quotation marks when they contain spaces. This is a common Windows security misconfiguration that has been documented for years but continues to appear in enterprise software deployments.
Attack Vector
The attack vector is network-accessible according to the CVSS classification, though practical exploitation requires an attacker to have already gained some level of access to the target system's file system. The typical attack sequence involves:
- An attacker identifies the vulnerable unquoted service path on a target system running RSA Authentication Agent
- The attacker places a malicious executable (e.g., Program.exe) in a location that Windows will resolve before the legitimate path
- When the RSA Authentication Agent service is started, stopped, or restarted (manually, by system reboot, or through other means), Windows executes the attacker's payload instead
- The malicious code runs with the privileges of the RSA Authentication Agent service
The unquoted service path vulnerability allows privilege escalation when an attacker can write to a directory that appears earlier in the path resolution sequence. Since the RSA Authentication Agent typically installs to C:\Program Files\, an attacker with write access to C:\ could place a Program.exe file that would be executed with elevated privileges.
Detection Methods for CVE-2024-47856
Indicators of Compromise
- Unexpected executable files in root directories or intermediate path locations (e.g., C:\Program.exe, C:\Program Files.exe)
- Unusual process execution chains where the RSA Authentication Agent service spawns unexpected child processes
- Modified timestamps on directories within the RSA Authentication Agent installation path hierarchy
- Event log entries showing service failures or unexpected service behavior
Detection Strategies
- Use Windows Event Log monitoring to detect service start failures or unusual service behavior related to RSA Authentication Agent
- Implement file integrity monitoring on critical directories in the service path hierarchy
- Query Windows services using wmic service get name,displayname,pathname,startmode to identify unquoted service paths
- Deploy endpoint detection tools that monitor for executables appearing in suspicious locations that could intercept service paths
Monitoring Recommendations
- Enable detailed Windows Security auditing for process creation events (Event ID 4688) with command line logging
- Monitor for file creation events in directories that could be used for path interception attacks
- Configure alerts for any modifications to the RSA Authentication Agent service configuration
- Implement SentinelOne Singularity to detect privilege escalation attempts and suspicious process relationships
How to Mitigate CVE-2024-47856
Immediate Actions Required
- Upgrade RSA Authentication Agent for Microsoft Windows to version 7.4.7 or later immediately
- Audit all Windows services for unquoted paths using built-in Windows tools or third-party security scanners
- Restrict write permissions on root directories and intermediate paths to prevent attackers from placing malicious executables
- Review and harden file system permissions across enterprise endpoints
Patch Information
RSA has released version 7.4.7 of RSA Authentication Agent for Microsoft Windows to address this vulnerability. The patch properly quotes service paths and shortcut targets to prevent path interception attacks. Administrators should download the updated version from the RSA Authentication Agent Download Portal and follow the RSA Security Update Advisory for deployment guidance.
Workarounds
- Manually correct unquoted service paths in the Windows registry by enclosing the ImagePath value in quotation marks
- Restrict NTFS permissions on directories that could be exploited for path interception (e.g., C:\Program.exe locations)
- Implement application whitelisting to prevent execution of unauthorized binaries
- Deploy endpoint protection solutions capable of detecting and blocking privilege escalation attempts
# Check for unquoted service paths on Windows systems
wmic service get name,displayname,pathname,startmode | findstr /i "RSA"
# PowerShell command to identify vulnerable services
Get-WmiObject win32_service | Where-Object {$_.PathName -like '* *' -and $_.PathName -notlike '"*'} | Select-Object Name, PathName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
