CVE-2019-25283
Unquoted Service Path in Shrew Soft VPN Allows Privilege Escalation
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shrew_soft | vpn_client | to 2.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in Shrew Soft VPN Client version 2.2.2 is an unquoted service path issue in the 'iked' service. This means the executable path for the service contains spaces but lacks proper quotation marks, allowing local users with limited privileges to place malicious executables in directories along the service path."}, {'type': 'paragraph', 'content': 'When the system starts the service or reboots, the Windows Service Control Manager might execute the malicious executable with elevated system privileges, leading to arbitrary code execution with high-level access.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-428 (Unquoted Search Path or Element) and affects all versions up to and including 2.2.2 of the Shrew Soft VPN Client.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges from limited user access to elevated system privileges by executing arbitrary code during service startup or system reboot.
Because the affected services run with LocalSystem privileges and are set to auto-start, exploitation can lead to full control over the affected system, compromising confidentiality, integrity, and availability.
An attacker who can write to directories in the service path undetected by security software can exploit this vulnerability, potentially leading to system takeover or persistent malicious control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for unquoted service paths in the Shrew Soft VPN Client's 'iked' service executable path. Specifically, look for service paths that include spaces but lack proper quotation marks, such as: C:\\Program Files\\ShrewSoft\\VPN Client\\iked.exe -service."}, {'type': 'paragraph', 'content': 'On Windows systems, you can use commands to list services and their executable paths to identify unquoted paths. For example, running the following command in an elevated command prompt can help detect unquoted service paths:'}, {'type': 'list_item', 'content': 'sc qc iked'}, {'type': 'paragraph', 'content': "This command queries the configuration of the 'iked' service and shows the executable path. If the path is unquoted and contains spaces, it indicates the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, you can use PowerShell to find all services with unquoted paths by running:'}, {'type': 'list_item', 'content': 'Get-WmiObject win32_service | where { $_.PathName -like \'* *\' -and $_.PathName -notlike \'"*"*\' } | select Name, PathName'}, {'type': 'paragraph', 'content': 'This command lists all services whose executable paths contain spaces but are not enclosed in quotes, which is a common indicator of this vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately ensure that the service executable paths are properly quoted to prevent execution of malicious executables placed in the unquoted path.'}, {'type': 'paragraph', 'content': "Specifically, update the service path for the 'iked' service to include quotation marks around the executable path, for example:"}, {'type': 'list_item', 'content': '"C:\\Program Files\\ShrewSoft\\VPN Client\\iked.exe" -service'}, {'type': 'paragraph', 'content': 'If possible, update or patch the Shrew Soft VPN Client to a version that addresses this vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, restrict write permissions on directories in the service path to prevent local users from placing malicious executables.'}, {'type': 'paragraph', 'content': 'As a temporary measure, consider disabling or stopping the vulnerable service until a proper fix or patch is applied.'}] [1, 2]