CVE-2019-25292
Unquoted Service Path in Alps HID Monitor Allows Privilege Escalation
Publication date: 2026-02-06
Last updated on: 2026-02-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alps | hid_monitor_service | to 8.1.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the immediate step is to correct the unquoted service path by enclosing the executable path in double quotes.
This prevents Windows from misinterpreting the path and executing malicious executables placed in path segments.
Alternatively, ensure that no untrusted executables exist in any directory along the service path.
If possible, update or patch the Alps HID Monitor Service to a version where this issue is fixed.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25292 is an unquoted service path vulnerability in Alps HID Monitor Service version 8.1.0.10. The service executable path "C:\\Program Files\\Apoint2K\\HidMonitorSvc.exe" is not enclosed in quotes, which allows local attackers to place malicious executables in directories along the path. When the service starts, Windows may execute the malicious executable instead of the legitimate one, leading to arbitrary code execution with elevated system-level privileges.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a local attacker with limited privileges to escalate their privileges to system-level by exploiting the unquoted service path. By placing a malicious executable in a specific directory along the service path, the attacker can have their code executed with elevated privileges when the service starts automatically. This can lead to full control over the affected system, including the ability to execute arbitrary code, compromise system integrity, and potentially install persistent malware.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying services with unquoted executable paths, especially those that start automatically and are located outside the Windows directory.'}, {'type': 'paragraph', 'content': 'One method involves using Windows Management Instrumentation Command-line (WMIC) to list services with auto start mode excluding those in the Windows directory and without quotes in their executable paths.'}, {'type': 'paragraph', 'content': "Additionally, the 'sc qc' command can be used to query the service configuration and confirm if the executable path is unquoted."}, {'type': 'list_item', 'content': 'wmic service where "startmode=\'auto\' and pathname not like \'%"%"%\' and pathname not like \'%Windows%\'%" get name,pathname,startmode'}, {'type': 'list_item', 'content': 'sc qc ApHidMonitorService'}] [1]