CVE-2021-47896
Unquoted Service Path in PDF Complete Allows Privilege Escalation
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pdf_complete | pdf_complete_corporate_edition | 4.1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in the 'pdfcDispatcher' service of PDF Complete Corporate Edition 4.1.45. Because the service executable path contains spaces and is not enclosed in quotes, a local attacker can place a malicious executable in a location that Windows might execute instead of the legitimate service binary. Since the service runs with elevated LocalSystem privileges, this allows the attacker to execute arbitrary code with high-level system access. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to execute arbitrary code with elevated LocalSystem privileges on the affected system. This can lead to full system compromise, including unauthorized access, modification, or destruction of data, and disruption of system availability. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths in the 'pdfcDispatcher' service executable path. You can use Windows Management Instrumentation Command-line (WMIC) and Service Control (sc) commands to identify services with unquoted paths that start automatically but do not reside in the Windows directory. For example, use the command: `wmic service get name,pathname,startmode | findstr /i "pdfcDispatcher"` to check the service path. Also, use `sc qc pdfcDispatcher` to query the service configuration and inspect if the executable path is unquoted and contains spaces. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent execution of malicious executables placed in the path. Additionally, ensure that only trusted users have local access to the system to prevent placing malicious executables. Applying the latest updates or patches from the vendor, or upgrading to a newer version of PDF Complete that addresses this issue, is also recommended. [2, 3]