CVE-2022-50930
Unquoted Service Path in Emerson PAC TrapiServer Enables Privilege Escalation
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emerson | pac_machine_edition | 9.80 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in the 'TrapiServer' service of Emerson PAC Machine Edition 9.80. Because the service executable path contains spaces and is not enclosed in quotes, a local attacker can place a malicious executable in a directory path that the system searches before the legitimate executable during service startup. This allows the attacker to execute arbitrary code with elevated privileges, specifically with LocalSystem permissions, potentially compromising the system. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows a local user to execute arbitrary code with elevated privileges (LocalSystem level). This can lead to full system compromise, including unauthorized access, modification, or destruction of data, and disruption of system availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths of the 'TrapiServer' service that start automatically and are not located in the Windows directory. A suggested command to identify this on a Windows system is: wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\" | findstr /i "TrapiServer" | findstr /i /v '"'. This command queries the service configuration to confirm the unquoted path and service details. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent path hijacking. Additionally, restrict local user permissions to prevent unauthorized code placement in directories preceding the legitimate service path. Ensuring the service does not run with unnecessary elevated privileges or disabling the service if not required can also reduce risk. [1, 2]