CVE-2021-47945

Description

Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Argus Surveillance DVR 4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import win32service
import win32con

# Proof of Concept: Check for Unquoted Service Path
# This script simulates checking the DVRWatchdog service

def check_unquoted_service_path(service_name):
    try:
        # In a real scenario, this would query the registry
        # hkey = win32service.OpenSCManager(None, None, win32service.SC_MANAGER_CONNECT)
        # service = win32service.OpenService(hkey, service_name, win32service.SERVICE_QUERY_CONFIG)
        # config = win32service.QueryServiceConfig(service)
        
        # Simulated vulnerable path
        image_path = "C:\\Program Files\\Argus\\DVRWatchdog.exe"
        
        if not image_path.startswith('"') and " " in image_path:
            print(f"[+] Vulnerable Service Found: {service_name}")
            print(f"[+] Unquoted Path: {image_path}")
            
            # Check for write access in the path segments
            parts = image_path.split('\\')
            current_path = ""
            for part in parts[:-1]:
                current_path += part + "\\"
                # Check if directory is writable (simplified logic)
                if os.path.exists(current_path):
                    print(f"[*] Checking write access for: {current_path}")
                    # If writable, an attacker could drop 'Program.exe' here
        else:
            print("[-] Service path is quoted or contains no spaces.")
            
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    check_unquoted_service_path("DVRWatchdog")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47945
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47945
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47945/
[4] VulDB https://vuldb.com/cve/CVE-2021-47945
[5] https://www.exploit-db.com/exploits/50261
[6] https://www.vulncheck.com/advisories/argus-surveillance-dvr-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47945", "sourceIdentifier": "[email protected]", "published": "2026-05-10T13:16:30.897", "lastModified": "2026-05-13T15:30:24.603", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50261", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/argus-surveillance-dvr-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}