CVE-2021-47810

Description

WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wibu:wibukey:6.51:*:*:*:*:*:*:* - VULNERABLE

WibuKey Runtime <= 6.51

WkSvW32.exe (所有未修复版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2021-47810 PoC - WibuKey Runtime WkSvW32.exe Unquoted Service Path
This PoC demonstrates the unquoted service path vulnerability in WibuKey Runtime.
Note: This is for educational and authorized testing purposes only.
"""

import os
import sys
import subprocess
import shutil

def check_vulnerability():
    """Check if WibuKey service is installed and has unquoted path"""
    try:
        result = subprocess.run(
            ['sc', 'qc', 'WkSvW32'],
            capture_output=True,
            text=True
        )
        
        if 'WkSvW32' in result.stdout:
            # Check for unquoted path with spaces
            if 'BINARY_PATH_NAME' in result.stdout:
                for line in result.stdout.split('\n'):
                    if 'BINARY_PATH_NAME' in line:
                        path = line.split(':', 1)[1].strip() if ':' in line else line.strip()
                        print(f"[+] Service path: {path}")
                        # Check if path contains spaces and is not quoted
                        if ' ' in path and not path.startswith('"'):
                            print("[!] VULNERABLE: Unquoted path with spaces detected!")
                            return True
                        else:
                            print("[-] Service path appears to be properly quoted")
                            return False
        else:
            print("[-] WkSvW32 service not found")
            return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def exploit():
    """
    Exploitation steps (for authorized testing only):
    1. Create malicious executable at C:\Program.exe
    2. Wait for service restart or trigger service stop/start
    3. Malicious code executes with service privileges
    """
    malicious_path = r"C:\Program.exe"
    
    # For demonstration, create a simple reverse shell or payload
    # This should be replaced with actual malicious code in real attack
    print(f"[*] In a real attack, malicious code would be placed at: {malicious_path}")
    print("[*] When WkSvW32 service starts, it would execute the malicious Program.exe")
    print("[*] The malicious code would run with SYSTEM privileges")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2021-47810 - WibuKey Runtime Unquoted Service Path PoC")
    print("=" * 60)
    
    if os.name == 'nt':
        is_vulnerable = check_vulnerability()
        if is_vulnerable:
            print("\n[*] Vulnerability confirmed!")
            # Uncomment below line for authorized testing only:
            # exploit()
        else:
            print("\n[-] Target system does not appear to be vulnerable")
    else:
        print("[-] This PoC only works on Windows systems")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47810
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47810
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47810/
[4] VulDB https://vuldb.com/cve/CVE-2021-47810
[5] https://www.exploit-db.com/exploits/49999
[6] https://www.vulncheck.com/advisories/wibukey-runtime-wksvwexe-unquoted-service-path
[7] https://www.wibu.com
[8] https://www.wibu.com/us/support/user/downloads-user-software.html
[9] https://www.exploit-db.com/exploits/49999

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47810", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:26.077", "lastModified": "2026-01-30T00:49:54.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\PROGRAM FILES (X86)\\WIBUKEY\\SERVER\\WkSvW32.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "WibuKey Runtime 6.51 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio WkSvW32.exe que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\PROGRAM FILES (X86)\\WIBUKEY\\SERVER\\WkSvW32.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wibu:wibukey:6.51:*:*:*:*:*:*:*", "matchCriteriaId": "72A82047-E02D-4AB2-8164-FE4834448DDA"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49999", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/wibukey-runtime-wksvwexe-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.wibu.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.wibu.com/us/support/user/downloads-user-software.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/49999", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}