CVE-2019-25271
Unknown Unknown - Not Provided
Unquoted Service Path in NETGATE Data Backup Enables Privilege Escalation

Publication date: 2026-02-05

Last updated on: 2026-02-05

Assigner: VulnCheck

Description
NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netgate data_backup 3.0.620
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking the service configuration for unquoted service paths. Specifically, you can query the Windows service named 'NGDatBckpSrv' to see if its executable path is unquoted."}, {'type': 'list_item', 'content': 'Run the command: sc qc NGDatBckpSrv'}, {'type': 'paragraph', 'content': 'If the output shows the binary path without quotes around the path containing spaces (e.g., C:\\Program Files\\NETGATE\\Data Backup\\DataBackupSrv.exe), the system is vulnerable to this unquoted service path issue.'}] [1]

Executive Summary

CVE-2019-25271 is an unquoted service path vulnerability found in NETGATE Data Backup version 3.0.620, specifically in the Windows service named NGDatBckpSrv.

Because the service path contains spaces and is not enclosed in quotes, Windows may incorrectly parse the executable path.

An attacker with local access can exploit this by placing malicious executable files in certain directories along the service path, causing Windows to execute the malicious code instead of the intended service binary.

This allows the attacker to execute arbitrary code with LocalSystem privileges, effectively escalating their privileges on the system.

Impact Analysis

This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute arbitrary code with LocalSystem privileges.

As a result, the attacker can gain full control over the affected system, compromising its confidentiality, integrity, and availability.

  • Execution of malicious code with elevated privileges
  • Full system compromise
  • Potential unauthorized access to sensitive data
  • Disruption or manipulation of system operations
Compliance Impact

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves correcting the service path by enclosing it in quotes to prevent Windows from misinterpreting the path and executing malicious code.'}, {'type': 'paragraph', 'content': "You should update the service configuration for 'NGDatBckpSrv' to ensure the executable path is properly quoted."}, {'type': 'paragraph', 'content': 'Additionally, restrict local user permissions to prevent unauthorized users from placing executables in directories that could be exploited.'}, {'type': 'paragraph', 'content': 'If available, apply any vendor patches or updates that address this vulnerability.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart