Primary

Context

DiskPulse Unquoted Service Path Vulnerability Allowing Privilege Escalation

Vulnerability

A vulnerability exists in DiskPulse Enterprise version 13.6.14 due to an unquoted service path in the Windows service configuration. This flaw allows local attackers to execute arbitrary code by exploiting the unquoted path in the service executable. Attackers can inject malicious executables to escalate privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges.

Reproduction

The vulnerability can be reproduced by installing DiskPulse Enterprise version 13.6.14 and then using the Windows Management Instrumentation Command-line (WMIC) tool to query the service configuration. The unquoted service path can be identified, which indicates the presence of the vulnerability. Once the unquoted path is confirmed, malicious executables can be injected into the service path to execute arbitrary code with escalated privileges.

Added: Jan 16, 2026, 12:59 AM

Updated: Jan 16, 2026, 12:59 AM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

4.3

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

4.3

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DiskPulse Unquoted Service Path Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Reproduction

Affected Products

DiskPulse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating