CVE-2019-25281
Unknown Unknown - Not Provided
Unquoted Service Path Vulnerability in NCP Secure Entry Client Allows Privilege Escalation

Publication date: 2026-02-05

Last updated on: 2026-02-05

Assigner: VulnCheck

Description
NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25281
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ncp secure_entry_client 9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NCP Secure Entry Client 9.2 on Windows and is caused by unquoted service paths in multiple services such as ncprwsnt, rwsrsu, ncpclcfg, and NcpSec.

Because the executable paths contain spaces but are not enclosed in quotation marks, a local attacker can place a malicious executable in a path segment that the system misinterprets.

When the affected services start automatically with elevated LocalSystem privileges, the malicious code can be executed with those high privileges, potentially allowing arbitrary code execution.

Impact Analysis

This vulnerability can lead to local privilege escalation on a Windows system running NCP Secure Entry Client 9.2.

An attacker with local access can exploit the unquoted service paths to execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on Windows.

This could allow the attacker to take full control of the affected system, install malware, access sensitive data, or disrupt system operations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the installed NCP Secure Entry Client services on Windows systems.

Specifically, you should inspect the executable paths of services such as ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to see if their binary paths contain spaces and are not enclosed in quotation marks.

A common method to detect unquoted service paths is to use the Windows command line to query service configurations.

  • Run the command: sc qc <service_name> (e.g., sc qc ncprwsnt) to display the binary path of the service.
  • Look for paths with spaces that are not enclosed in quotes, for example: C:\Program Files (x86)\NCP\SecureClient\service.exe
  • Alternatively, use PowerShell to list all services and their paths, then filter for unquoted paths containing spaces.
Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately correct the unquoted service paths by enclosing the executable paths in quotation marks.'}, {'type': 'paragraph', 'content': 'This prevents the system from misinterpreting the path and executing malicious code placed in path segments.'}, {'type': 'list_item', 'content': 'Use the sc config command to update the service binary path with quotes, for example: sc config ncprwsnt binPath= ""C:\\Program Files (x86)\\NCP\\SecureClient\\service.exe""'}, {'type': 'list_item', 'content': 'Ensure that only trusted users have write permissions to directories in the service path to prevent insertion of malicious executables.'}, {'type': 'list_item', 'content': 'Consider applying any available patches or updates from the vendor that address this issue.'}, {'type': 'list_item', 'content': 'Restart the affected services or the system after making these changes to ensure the corrected paths are used.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart