CVE-2023-54353
Received Received - Intake
Unquoted Service Path in ChromaCam 4.0.3.0

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2023-54353
EUVD
EUVD-2023-60591
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
personify chromacam 4.0.3.0
personify chromacam to 4.0.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-54353 is an unquoted service path vulnerability found in Chromacam version 4.0.3.0, specifically in the PsyFrameGrabberService. This vulnerability allows local attackers who have write access to certain directories on the system, such as C:\ or C:\Program Files (x86)\Personify\, to place malicious executable files. Because the service path is unquoted, the system may execute these malicious files with LocalSystem privileges when the service starts automatically at boot, enabling arbitrary code execution.

Impact Analysis

This vulnerability can have a significant impact because it allows an attacker with local write access to execute arbitrary code with LocalSystem privileges. This means the attacker can gain full control over the affected system, potentially leading to unauthorized access, data theft, system manipulation, or further malware installation.

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths related to the PsyFrameGrabberService in Chromacam 4.0.3.0 or earlier versions. Specifically, you should inspect the service path for unquoted spaces that could allow execution of malicious executables placed by an attacker.

On a Windows system, you can use the following command to check the service path for PsyFrameGrabberService:

  • sc qc PsyFrameGrabberService

Look for unquoted paths in the output, especially paths containing spaces without surrounding quotes. Additionally, check for suspicious executable files named Program.exe or PsyFrameGrabberService.exe in directories like C:\ or C:\Program Files (x86)\Personify\ which could indicate exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately restrict write access to the directories involved, such as C:\ and C:\Program Files (x86)\Personify\, to prevent attackers from placing malicious executables.

Additionally, update Chromacam to a version later than 4.0.3.0, as the vulnerability exists in version 4.0.3.0 and earlier. If an update is not available, manually correct the service path by quoting it properly to prevent execution of malicious files.

Finally, monitor the system for suspicious files named Program.exe or PsyFrameGrabberService.exe in the affected directories and remove any unauthorized files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54353. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart