CVE-2019-25281
Unquoted Service Path Vulnerability in NCP Secure Entry Client Allows Privilege Escalation
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ncp | secure_entry_client | 9.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NCP Secure Entry Client 9.2 on Windows and is caused by unquoted service paths in multiple services such as ncprwsnt, rwsrsu, ncpclcfg, and NcpSec.
Because the executable paths contain spaces but are not enclosed in quotation marks, a local attacker can place a malicious executable in a path segment that the system misinterprets.
When the affected services start automatically with elevated LocalSystem privileges, the malicious code can be executed with those high privileges, potentially allowing arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability can lead to local privilege escalation on a Windows system running NCP Secure Entry Client 9.2.
An attacker with local access can exploit the unquoted service paths to execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on Windows.
This could allow the attacker to take full control of the affected system, install malware, access sensitive data, or disrupt system operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths in the installed NCP Secure Entry Client services on Windows systems.
Specifically, you should inspect the executable paths of services such as ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to see if their binary paths contain spaces and are not enclosed in quotation marks.
A common method to detect unquoted service paths is to use the Windows command line to query service configurations.
- Run the command: sc qc <service_name> (e.g., sc qc ncprwsnt) to display the binary path of the service.
- Look for paths with spaces that are not enclosed in quotes, for example: C:\Program Files (x86)\NCP\SecureClient\service.exe
- Alternatively, use PowerShell to list all services and their paths, then filter for unquoted paths containing spaces.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately correct the unquoted service paths by enclosing the executable paths in quotation marks.'}, {'type': 'paragraph', 'content': 'This prevents the system from misinterpreting the path and executing malicious code placed in path segments.'}, {'type': 'list_item', 'content': 'Use the sc config command to update the service binary path with quotes, for example: sc config ncprwsnt binPath= ""C:\\Program Files (x86)\\NCP\\SecureClient\\service.exe""'}, {'type': 'list_item', 'content': 'Ensure that only trusted users have write permissions to directories in the service path to prevent insertion of malicious executables.'}, {'type': 'list_item', 'content': 'Consider applying any available patches or updates from the vendor that address this issue.'}, {'type': 'list_item', 'content': 'Restart the affected services or the system after making these changes to ensure the corrected paths are used.'}] [1]