CVE-2019-25276
Unquoted Service Path in FactoryTalk Activation Enables Privilege Escalation
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rockwell_automation | studio_5000_logix_designer | 30.01.00 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in Studio 5000 Logix Designer version 30.01.00, specifically in the FactoryTalk Activation Service on Windows systems.'}, {'type': 'paragraph', 'content': 'The issue is an unquoted service path vulnerability, meaning the service executable path contains spaces but is not enclosed in quotes.'}, {'type': 'paragraph', 'content': 'Because of this, a local attacker can place a malicious executable in a directory along the service path (for example, in C:\\Program Files (x86)\\Rockwell.exe).'}, {'type': 'paragraph', 'content': "When the service starts, Windows may mistakenly execute the attacker's code with elevated privileges under the LocalSystem account."}, {'type': 'paragraph', 'content': 'This vulnerability allows local users to potentially execute arbitrary code with elevated privileges, leading to privilege escalation.'}] [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on a Windows system.
This can lead to full control over the affected system, including the ability to install programs, change or delete data, and create new accounts with full user rights.
Because the service runs automatically and with elevated privileges, the attackerβs code can execute during service startup or system reboot, making the attack persistent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the service path of the FactoryTalk Activation Service for unquoted paths containing spaces. Specifically, you should verify if the service executable path is unquoted, such as: C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use the following command to check the service path for unquoted service paths:'}, {'type': 'list_item', 'content': 'sc qc "FactoryTalk Activation Service"'}, {'type': 'paragraph', 'content': 'If the path returned by this command is not enclosed in quotes and contains spaces, the system is vulnerable to this unquoted service path issue.'}, {'type': 'paragraph', 'content': 'Additionally, you can search for other services with unquoted paths using PowerShell commands such as:'}, {'type': 'list_item', 'content': 'Get-WmiObject win32_service | where {$_.pathname -like \'* *\' -and $_.pathname -notlike \'"*"\'} | select name, pathname'}, {'type': 'paragraph', 'content': 'This command lists services with spaces in their executable paths that are not enclosed in quotes, which may indicate similar vulnerabilities.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this unquoted service path vulnerability, immediately update the service path to be enclosed in quotes to prevent execution of malicious code placed in directories along the path.'}, {'type': 'paragraph', 'content': 'Specifically, modify the FactoryTalk Activation Service executable path from:'}, {'type': 'list_item', 'content': 'C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe'}, {'type': 'paragraph', 'content': 'to:'}, {'type': 'list_item', 'content': '"C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe"'}, {'type': 'paragraph', 'content': 'This can be done by editing the service configuration using the registry editor or the sc command.'}, {'type': 'paragraph', 'content': 'Additionally, restrict write permissions on directories in the service path, especially on parent directories like C:\\Program Files (x86) and C:\\Program Files (x86)\\Rockwell Software, to prevent attackers from placing malicious executables.'}, {'type': 'paragraph', 'content': 'Finally, ensure that the system is patched with any updates provided by Rockwell Automation and consider running the service with the least privileges necessary if possible.'}] [1]