CVE-2021-47890
Unknown Unknown - Not Provided
Unquoted Service Path Vulnerability in LogonExpertSvc Enables Privilege Escalation

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description
LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47890
EUVD
EUVD-2026-4296
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
softros_systems logonexpert 8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an unquoted service path issue in the LogonExpertSvc service of LogonExpert version 8.1. Because the service path contains spaces and is not enclosed in quotes, Windows may misinterpret the path and execute malicious executables placed in intermediate directories. This allows an attacker with local access to place a crafted executable in these directories, which will be run with LocalSystem privileges when the service starts, leading to privilege escalation. [2, 3]

Impact Analysis

An attacker with local access can exploit this vulnerability to execute malicious code with elevated system privileges (LocalSystem). This can lead to full system compromise, unauthorized access, and control over the affected machine, bypassing normal security restrictions. [2, 3]

Detection Guidance

This vulnerability can be detected by checking the service path of the LogonExpertSvc service for unquoted paths containing spaces. You can use the Windows Management Instrumentation Command-line (WMIC) to list services with automatic start mode excluding those in the Windows directory and those with quoted paths. Specifically, you can run the command: `sc qc LogonExpertSvc` to query the service configuration and confirm if the binary path is unquoted. [3]

Mitigation Strategies

Immediate mitigation steps include correcting the unquoted service path by quoting the entire path of the LogonExpertSvc service executable to prevent execution of malicious executables in intermediate directories. Additionally, ensure that only trusted users have write permissions to the directories in the service path to prevent placing malicious executables. Applying updates or patches from the vendor when available is also recommended. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart