CVE-2026-2542
Unknown Unknown - Not Provided
Unquoted Search Path Vulnerability in Total VPN win-service.exe

Publication date: 2026-02-16

Last updated on: 2026-02-16

Assigner: VulDB

Description
A weakness has been identified in Total VPN 0.5.29.0 on Windows. Affected by this vulnerability is an unknown functionality of the file C:\Program Files\Total VPN\win-service.exe. Executing a manipulation can lead to unquoted search path. It is possible to launch the attack on the local host. This attack is characterized by high complexity. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-16
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2542
EUVD
EUVD-2026-6120
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
total_vpn total_vpn 0.5.29.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the service path of the Total VPN Windows service (win-service.exe) for unquoted spaces.'}, {'type': 'list_item', 'content': 'Use the command to query the service path: sc qc "Total VPN"'}, {'type': 'list_item', 'content': 'Look for spaces in the ImagePath value that are not enclosed in quotation marks.'}, {'type': 'list_item', 'content': 'Additionally, check if a file named "Program.exe" exists in the root of the C:\\ drive, as placing a malicious executable there can exploit this vulnerability.'}] [3]

Impact Analysis

This vulnerability can lead to privilege escalation by allowing an attacker to execute arbitrary code with the privileges of the Total VPN service.

Exploitation can compromise the confidentiality, integrity, and availability of the affected system by enabling unauthorized code execution and potential data compromise or alteration of system functionality.

Since the attack requires local access and is complex, the risk is limited to attackers who already have some level of access to the system.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2542 is an unquoted service path vulnerability found in Total VPN version 0.5.29.0 on Windows. The issue arises because the service path for the executable file win-service.exe contains spaces but lacks quotation marks. This allows Windows to misinterpret the path during service startup.'}, {'type': 'paragraph', 'content': 'A local attacker can exploit this by placing a malicious executable named "Program.exe" in the root of the C:\\ drive. When the Total VPN service restarts, Windows may execute this malicious executable instead of the legitimate service executable, leading to code execution with the privileges of the Total VPN service.'}, {'type': 'paragraph', 'content': 'The attack is complex and requires local access. Exploitation is considered difficult, and no public exploit currently exists. The vendor was contacted but did not respond.'}] [2, 3]

Compliance Impact

I don't know

Mitigation Strategies

Currently, no official vendor response or patch is available for this vulnerability.

Immediate mitigation steps include:

  • Avoid placing any executable files in directories that could be interpreted due to the unquoted service path, especially the root of the C:\ drive.
  • Manually edit the service path to include quotation marks around the executable path if possible.
  • Consider replacing the affected Total VPN product with an alternative VPN solution that is not vulnerable.
  • Restrict local user permissions to prevent unauthorized file creation in critical directories.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2542. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart