Executive Summary

CVE-2026-24466 is a security vulnerability found in certain Windows utilities provided by Oki Electric Industry Co., Ltd. and its OEM partners. The issue arises because Windows services are registered with unquoted file paths for their executable files.

This lack of quotation marks around the executable path creates an unquoted service path vulnerability (CWE-428), which can allow a local user who has write permissions on the root directory of the system drive to execute arbitrary code with SYSTEM privileges.

In simpler terms, if an attacker can place a malicious executable in certain locations on the system drive, the system might run that malicious code with the highest system privileges, potentially compromising the entire system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a serious security impact because it allows a local attacker with write access to the root of the system drive to execute arbitrary code with SYSTEM privileges.

The attacker could gain full control over the affected system, potentially leading to unauthorized access, data modification, or disruption of system availability.

Since the vulnerability affects confidentiality, integrity, and availability at a high level, it poses a significant risk to the security of the system and any sensitive data it holds.

For some affected products, such as those from Murata Machinery, Ltd., no patches are available due to discontinued support, increasing the risk if these utilities continue to be used in networked environments.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from Windows services registered with unquoted executable file paths. To detect it, you need to identify Windows services whose executable paths are not enclosed in quotation marks.'}, {'type': 'paragraph', 'content': 'A common method to detect unquoted service paths is to list all services and check their executable paths for missing quotes. On a Windows system, you can use the following commands:'}, {'type': 'list_item', 'content': 'Using PowerShell to list services and check for unquoted paths: Get-WmiObject win32_service | Where-Object { $_.PathName -and $_.PathName -notmatch \'^".*"\' } | Select-Object Name, PathName'}, {'type': 'list_item', 'content': 'Using the command prompt to query services and manually inspect paths: sc qc <service_name>'}, {'type': 'paragraph', 'content': 'Look for service executable paths that contain spaces but are not enclosed in quotation marks, as these are vulnerable to this issue.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the affected utilities to the patched or newer versions provided by the vendors.

• Download and install updated versions or patches from the official OKI website for affected utilities such as Configuration Tool, smart Print Super Vision, Print Job Accounting, Web Driver Installer, Storage Device Manager, PDF Print Direct, and Profile Assistant.
• For Configuration Tool, update to version 2.0.2 or 1.8.2 (Pro3 series). For smart Print Super Vision, update to version 2.0.3.

If you are using affected Murata Machinery utilities that have reached end of support with no patches available, immediately cease using these utilities in network environments and consider upgrading to newer models that support current security standards.

Applying these updates or discontinuing use of unsupported utilities will prevent exploitation of the unquoted service path vulnerability.

Useful 0 Not Useful 0