CVE-2019-25276
Unknown Unknown - Not Provided
Unquoted Service Path in FactoryTalk Activation Enables Privilege Escalation

Publication date: 2026-02-05

Last updated on: 2026-02-05

Assigner: VulnCheck

Description
Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25276
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rockwell_automation studio_5000_logix_designer 30.01.00
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in Studio 5000 Logix Designer version 30.01.00, specifically in the FactoryTalk Activation Service on Windows systems.'}, {'type': 'paragraph', 'content': 'The issue is an unquoted service path vulnerability, meaning the service executable path contains spaces but is not enclosed in quotes.'}, {'type': 'paragraph', 'content': 'Because of this, a local attacker can place a malicious executable in a directory along the service path (for example, in C:\\Program Files (x86)\\Rockwell.exe).'}, {'type': 'paragraph', 'content': "When the service starts, Windows may mistakenly execute the attacker's code with elevated privileges under the LocalSystem account."}, {'type': 'paragraph', 'content': 'This vulnerability allows local users to potentially execute arbitrary code with elevated privileges, leading to privilege escalation.'}] [1]

Impact Analysis

If exploited, this vulnerability allows a local attacker to execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on a Windows system.

This can lead to full control over the affected system, including the ability to install programs, change or delete data, and create new accounts with full user rights.

Because the service runs automatically and with elevated privileges, the attacker’s code can execute during service startup or system reboot, making the attack persistent.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the service path of the FactoryTalk Activation Service for unquoted paths containing spaces. Specifically, you should verify if the service executable path is unquoted, such as: C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use the following command to check the service path for unquoted service paths:'}, {'type': 'list_item', 'content': 'sc qc "FactoryTalk Activation Service"'}, {'type': 'paragraph', 'content': 'If the path returned by this command is not enclosed in quotes and contains spaces, the system is vulnerable to this unquoted service path issue.'}, {'type': 'paragraph', 'content': 'Additionally, you can search for other services with unquoted paths using PowerShell commands such as:'}, {'type': 'list_item', 'content': 'Get-WmiObject win32_service | where {$_.pathname -like \'* *\' -and $_.pathname -notlike \'"*"\'} | select name, pathname'}, {'type': 'paragraph', 'content': 'This command lists services with spaces in their executable paths that are not enclosed in quotes, which may indicate similar vulnerabilities.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this unquoted service path vulnerability, immediately update the service path to be enclosed in quotes to prevent execution of malicious code placed in directories along the path.'}, {'type': 'paragraph', 'content': 'Specifically, modify the FactoryTalk Activation Service executable path from:'}, {'type': 'list_item', 'content': 'C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe'}, {'type': 'paragraph', 'content': 'to:'}, {'type': 'list_item', 'content': '"C:\\Program Files (x86)\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe"'}, {'type': 'paragraph', 'content': 'This can be done by editing the service configuration using the registry editor or the sc command.'}, {'type': 'paragraph', 'content': 'Additionally, restrict write permissions on directories in the service path, especially on parent directories like C:\\Program Files (x86) and C:\\Program Files (x86)\\Rockwell Software, to prevent attackers from placing malicious executables.'}, {'type': 'paragraph', 'content': 'Finally, ensure that the system is patched with any updates provided by Rockwell Automation and consider running the service with the least privileges necessary if possible.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart