Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.
AnalysisAI
Unquoted service path vulnerability in AVACAST by eMPIA Technology enables local privilege escalation from high-privileged user to SYSTEM. Attackers with administrative access can plant malicious executables in unquoted paths, achieving arbitrary code execution with system-level privileges upon service restart. Taiwan CERT (TWCERT) published advisories confirming the vulnerability. No public exploit code identified at time of analysis, and exploitation requires existing administrative privileges, limiting practical risk to environments where privileged user compromise is a concern.
Technical ContextAI
The vulnerability affects AVACAST, a software product developed by eMPIA Technology, identified by CPE cpe:2.3:a:empia_technology:avacast. The issue is classified as CWE-428 (Unquoted Search Path or Element), a Windows-specific weakness where service paths containing spaces are not properly quoted in the registry. When Windows starts a service with an unquoted path like 'C:\Program Files\AVACAST\service.exe', the system searches for executables in multiple locations: first 'C:\Program.exe', then 'C:\Program Files\AVACAST.exe', before the intended target. An attacker with write access to these intermediate directories can plant malicious executables that execute with the service's privileges (typically SYSTEM). This is a well-understood attack vector in Windows environments that has affected numerous products over the years.
RemediationAI
Contact eMPIA Technology directly for patch availability, referencing TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10885-02d83-2.html for vendor coordination details. No vendor-released patch version is independently confirmed in available data at time of analysis. As an immediate workaround, administrators can manually quote the AVACAST service path in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, modifying the ImagePath value to enclose the executable path in double quotes. This requires registry editing (regedit.exe), creating a restore point beforehand, and restarting the service after modification. Additionally, implement file system access controls to prevent non-SYSTEM users from writing to directories in the service path (e.g., C:\Program Files\), though this should already be default Windows behavior and indicates potential broader security misconfigurations if writable by standard administrators. Audit all services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^".+"' -and $_.PathName -match ' '} | Select Name, PathName.
Same weakness CWE-428 – Unquoted Search Path or Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26029