CVE-2022-50923

# CVE-2022-50923 PoC - Unquoted Service Path in Cobian Backup # This PoC demonstrates the unquoted service path vulnerability in CobianReflectorService # Attack vector: Place malicious executable in path before the legitimate service binary import os import sys import subprocess def check_vulnerability(): """Check if the system is vulnerable to CVE-2022-50923""" try: # Query the CobianReflectorService configuration result = subprocess.run( ['sc', 'qc', 'CobianReflectorService'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[*] Current Binary Path: {path}") # Check if path is unquoted (vulnerable) if '"' not in path and ' ' in path: print("[!] VULNERABLE: Path is unquoted and contains spaces") return True else: print("[+] NOT VULNERABLE: Path is properly quoted") return False else: print("[-] CobianReflectorService not found") return False except Exception as e: print(f"[-] Error: {e}") return False def exploit(): """Exploitation steps for CVE-2022-50923""" print("=" * 60) print("CVE-2022-50923 Exploitation Guide") print("=" * 60) print("\n[!] This is for educational and authorized testing purposes only") print("\nAttack Steps:") print("1. Identify the unquoted path (e.g., C:\\Program Files\\Cobian Backup\\CobianReflectorService.exe)") print("2. Create malicious executable named 'Program.exe'") print("3. Place it in C:\\ directory") print("4. Wait for service restart or system reboot") print("5. Malicious code executes with LocalSystem privileges") print("\n[!] Requires local administrator access to place files") if __name__ == '__main__': check_vulnerability() exploit()

{"cve": {"id": "CVE-2022-50923", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:56.323", "lastModified": "2026-03-02T15:16:27.417", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Cobian Backup 0.9 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a los usuarios locales ejecutar código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta binaria sin comillas en el CobianReflectorService para inyectar código malicioso que se ejecutará con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cobiansoft:cobian_backup:0.9.93:*:*:*:*:*:*:*", "matchCriteriaId": "CBBEBD8F-8BBD-4788-8BFC-43D01954CE09"}]}]}], "references": [{"url": "https://www.cobiansoft.com//", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cobiansoft.com/download.php/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50810", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/cobian-backup-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}