CVE-2026-33253

Description

SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SANUPS SOFTWARE (具体受影响版本请参考厂商安全公告 H0033413 或 H0033449)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PowerShell script to check for unquoted service paths and demonstrate the vulnerability concept

# Function to check for unquoted service paths
function Get-UnquotedServicePaths {
    Write-Host "[*] Checking for unquoted service paths..."
    $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -notlike '"*"' -and $_.PathName -like '* *' }
    
    if ($services) {
        foreach ($svc in $services) {
            Write-Host "[!] Vulnerable Service Found: $($svc.Name)" -ForegroundColor Red
            Write-Host "    Path: $($svc.PathName)"
            
            # Logic to determine potential hijack points
            $path = $svc.PathName
            $splitPath = $path -split ' '
            $hijackPath = ""
            for ($i = 0; $i -lt $splitPath.Count - 1; $i++) {
                $hijackPath += $splitPath[$i]
                Write-Host "    Potential Hijack Point: $hijackPath.exe"
                $hijackPath += " "
            }
        }
    } else {
        Write-Host "[+] No obviously vulnerable unquoted services found with spaces."
    }
}

# Execute the check
Get-UnquotedServicePaths

# Note: Exploitation requires placing a malicious executable (e.g., 'Program.exe')
# in one of the identified hijack points (e.g., C:\) and waiting for the service to restart
# or forcing a restart (if permissions allow).

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33253
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33253
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33253/
[4] VulDB https://vuldb.com/cve/CVE-2026-33253
[5] https://jvn.jp/en/jp/JVN90835713/
[6] https://products.sanyodenki.com/media/document/sanups/H0033413_jp.pdf
[7] https://products.sanyodenki.com/media/document/sanups/H0033449_en.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33253", "sourceIdentifier": "[email protected]", "published": "2026-03-25T06:16:28.527", "lastModified": "2026-03-25T15:41:33.977", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}, {"lang": "es", "value": "SANUPS SOFTWARE proporcionado por SANYO DENKI CO., LTD. registra servicios de Windows con rutas de archivo sin comillas. Un usuario con permiso de escritura en el directorio raíz de la unidad del sistema puede ejecutar código arbitrario con privilegio SYSTEM."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN90835713/", "source": "[email protected]"}, {"url": "https://products.sanyodenki.com/media/document/sanups/H0033413_jp.pdf", "source": "[email protected]"}, {"url": "https://products.sanyodenki.com/media/document/sanups/H0033449_en.pdf", "source": "[email protected]"}]}}