CVE-2021-47869
Unquoted Service Path Vulnerability in Brother BRAdmin Enables Local Code Execution
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brother | bradmin_professional | 3.75 |
| brother | bradmin_professional | 3.76 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47869 is an unquoted service path vulnerability in Brother BRAdmin Professional version 3.75, specifically in the BRA_Scheduler service. Because the service path contains spaces and is not enclosed in quotes, a local attacker with write access to the Brother installation directory (C:\Program Files (x86)\Brother\) can place a malicious executable named 'BRAdmin.exe' there. When the system restarts, the service may execute this malicious executable instead of the legitimate one, allowing the attacker to run arbitrary code with SYSTEM-level privileges, effectively escalating their privileges on the system. [2, 3, 5]
How can this vulnerability impact me? :
This vulnerability can allow a local user with write access to the Brother installation directory to escalate their privileges to SYSTEM level by executing arbitrary code. This means an attacker could gain full control over the affected system, potentially adding new administrator accounts, installing malware, or performing other malicious actions with the highest system privileges. [2, 3, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the service path of the BRA_Scheduler service to check for unquoted paths. You can use the following commands: - To detect the unquoted service path: wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i "BRAdmin" | findstr /i /v '"' - To query the service configuration: sc qc BRA_Scheduler These commands help identify if the BRA_Scheduler service has an unquoted path that could be exploited. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: - Restrict write permissions to the directory 'C:\Program Files (x86)\Brother\' to prevent unauthorized users from placing a malicious executable named 'BRAdmin.exe'. - Quote the service path for the BRA_Scheduler service to ensure Windows correctly interprets the executable path and does not execute malicious files placed in the directory. - Consider updating or patching the BRAdmin Professional software if a fixed version is available. - As a temporary measure, monitor the directory for suspicious files named 'BRAdmin.exe' and remove any unauthorized executables. - Restart the system after applying these mitigations to ensure the service runs with the corrected path or permissions. [2, 5]