CVE-2022-50808
Unquoted Service Path in CoolerMaster MPService Enables Privilege Escalation
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolermaster | masterplus | 1.8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in CoolerMaster MasterPlus version 1.8.5's MPService. Because the service executable path contains spaces and is not enclosed in quotes, Windows may misinterpret the path and execute a malicious executable placed by a local attacker in a higher-priority directory during service startup or system reboot. This allows the attacker to execute code with SYSTEM-level privileges by placing a crafted payload named "Program.exe" in locations like the root of the C: drive and then restarting the service or rebooting the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges to SYSTEM level on the affected machine. By exploiting the unquoted service path, the attacker can execute arbitrary code with elevated system privileges, potentially leading to full control over the system, unauthorized access to sensitive data, and the ability to perform malicious actions that require high-level permissions. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for unquoted service paths in the CoolerMaster MasterPlus MPService. One method is to use the Windows Management Instrumentation Command-line (WMIC) to list services with auto start mode and filter out those with paths under C:\Windows\, revealing unquoted paths. For example, you can run the command: wmic service where "startmode='auto' and pathname like '%CoolerMaster%'" get name,pathname,startmode. Then inspect the service path for unquoted spaces, such as C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe. If the path is unquoted and contains spaces, it is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include quoting the service executable path to prevent Windows from misinterpreting the path and executing malicious executables. Alternatively, you can restrict write permissions on directories in the service path to prevent attackers from placing malicious executables. Additionally, avoid placing executables in directories that are higher in the path hierarchy (e.g., C:\) where an attacker could drop a malicious Program.exe. Restarting the service or system after applying these mitigations will prevent exploitation. [1, 2]