CVE-2021-47861
Unquoted Service Path in Event Log Explorer 4.9.3 Enables Privilege Escalation
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fspro_labs | event_log_explorer | 4.9.3 |
| unknown_vendor | elodea_event_collector | 4.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47861 is an unquoted service path vulnerability in Event Log Explorer version 4.9.3. This flaw occurs because the service executable path is not enclosed in quotes, which can cause Windows to misinterpret the path and execute malicious executables placed by a local attacker in higher-priority locations. Exploiting this vulnerability allows local users to execute arbitrary code with elevated system privileges under the LocalSystem account during service startup. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute arbitrary code with elevated system privileges. This means the attacker could gain full control over the affected system, potentially leading to unauthorized access, data manipulation, or disruption of system operations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the service executable path for unquoted spaces in the 'ElodeaEventCollectorService'. On a Windows system, you can use the command: sc qc ElodeaEventCollectorService to display the service configuration, including the executable path. If the path is unquoted and contains spaces (e.g., C:\Program Files (x86)\Elodea\EventCollector.exe without quotes), the system is vulnerable. Additionally, you can manually inspect the service path in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ElodeaEventCollectorService. Look for unquoted paths that could allow execution of malicious executables placed in higher-priority locations such as C:\Program.exe or C:\Program Files.exe. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should correct the unquoted service path by enclosing the executable path in quotes. For example, change the service executable path from C:\Program Files (x86)\Elodea\EventCollector.exe to "C:\Program Files (x86)\Elodea\EventCollector.exe". This prevents Windows from misinterpreting the path and executing malicious files placed in higher-priority locations. Additionally, restrict local user permissions to prevent placing executables in system directories and monitor for suspicious files in locations like C:\. Applying the latest patches or updates from the software vendor, if available, is also recommended. [1, 2]