CVE-2023-54338
Unknown Unknown - Not Provided
Unquoted Service Path in Tftpd32 SE 4.60 Enables Privilege Escalation

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2023-54338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pjo2 tftpd32_se 4.60
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-54338 is an unquoted service path vulnerability in Tftpd32 SE version 4.60, specifically in the 'Tftpd32_svc' Windows service. Because the service path contains spaces and is not enclosed in quotes, a local attacker can place a malicious executable in a location that Windows might execute instead of the legitimate service binary. This allows the attacker to execute arbitrary code with elevated system-level privileges. [1, 2]

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges to system-level by executing arbitrary code through the unquoted service path. This means the attacker could gain full control over the affected system, potentially compromising confidentiality, integrity, and availability of data and services. [1, 2]

Detection Guidance

This vulnerability can be detected by checking the service path of the 'Tftpd32_svc' Windows service to see if it is unquoted and contains spaces. On a Windows system, you can use the following command to check the service path: sc qc Tftpd32_svc. If the path to the executable is unquoted and contains spaces (e.g., C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe without quotes), the system is vulnerable to this issue. [2]

Mitigation Strategies

To mitigate this vulnerability, immediately quote the service executable path in the service configuration to prevent execution of malicious executables placed in the path. Alternatively, update or patch the Tftpd32_SE software to a version where this issue is fixed. Restrict local user permissions to prevent unauthorized users from placing executables in the service path directories. Additionally, monitor and audit the service path directories for any suspicious files. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart