CVE-2021-47864
Unquoted Service Path Vulnerability in OSAS Traverse Extension Allows Privilege Escalation
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osas | traverse_extension | 11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47864 is an unquoted service path vulnerability in the OSAS Traverse Extension 11's TravExtensionHostSvc service. Because the service's executable path contains spaces but is not enclosed in quotes, an attacker with local access can place a malicious executable in a location that Windows might mistakenly execute instead of the legitimate service binary. Since the service runs with LocalSystem privileges, this can lead to arbitrary code execution with elevated privileges. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges by executing malicious code with the same high-level privileges as the TravExtensionHostSvc service, which runs under the LocalSystem account. This means an attacker could gain full control over the affected system, potentially leading to system compromise, data theft, or disruption of services. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for unquoted service paths, especially for the 'travextensionhostsvc' service. Commands such as 'wmic service get name,pathname,startmode | findstr /i "Auto"' can list services with auto start. Then, filter for service paths that contain spaces but are not enclosed in quotes and do not start with 'C:\Windows\'. Additionally, you can query the specific service configuration using 'sc.exe qc travextensionhostsvc' to inspect the binary path for unquoted spaces. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves correcting the unquoted service path by enclosing the executable path in quotes to prevent path-based code injection. Specifically, update the 'travextensionhostsvc' service configuration to quote the binary path, for example changing it to "C:\Program Files\Open Systems,Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe". This prevents attackers from placing malicious executables in the service path that could be executed with elevated privileges. [1, 3]