CVE-2022-50924
Unknown Unknown - Not Provided
Unquoted Service Path in Private Internet Access Allows Privilege Escalation

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50924
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
private_internet_access private_internet_access 3.3.0.100
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50924 is an unquoted service path vulnerability in Private Internet Access version 3.3. This means the service configuration for 'pia-service' does not properly quote the executable path, allowing local users to place malicious executables in certain directories. When the service starts, Windows may mistakenly execute the malicious code with elevated LocalSystem privileges due to how it parses unquoted paths containing spaces. This allows local attackers to run arbitrary code with high system privileges without requiring user interaction. [2, 4]

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code with elevated system privileges (LocalSystem), which means the attacker could gain full control over the affected system. This could lead to unauthorized access, modification, or destruction of data, installation of persistent malware, or disruption of system availability. [2, 4]

Detection Guidance

This vulnerability can be detected by checking the service configuration for unquoted service paths, specifically for the 'pia-service' service. Commands such as 'wmic service where name="PrivateInternetAccessService" get PathName' or 'sc qc PrivateInternetAccessService' can be used to query the service binary path. If the path contains spaces and is not enclosed in quotes, the system is vulnerable to this unquoted service path issue. [4]

Mitigation Strategies

Immediate mitigation steps include correcting the service path by enclosing it in quotes to prevent the system from misinterpreting the path and executing malicious code. Alternatively, ensure that no malicious executables exist in any path segments that could be executed due to the unquoted path. Restrict local user access to prevent exploitation, and apply any available patches or updates from Private Internet Access addressing this vulnerability. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart