Acer Updater Service Unquoted Service Path Vulnerability Allowing Elevated Privileges
Vulnerability
A vulnerability exists in the Acer Updater Service version 1.2.3500.0, where an unquoted service path allows local users to execute code with elevated system privileges. The vulnerability arises because the service path in 'C:\Program Files\Acer\Acer Updater\UpdaterService.exe' is not enclosed in quotes. This flaw can be exploited by injecting malicious executables into the unquoted path, which would then be executed with LocalSystem permissions when the service starts.
Impact
Exploitation of this vulnerability could lead to unauthorized code execution with elevated privileges, allowing a local user to execute malicious payloads with system-level rights.
Reproduction
The vulnerability can be reproduced by creating a malicious executable and placing it in a directory that is not monitored by the operating system or security applications. Once the executable is in place, the Acer Updater Service can be started, which will execute the malicious code with elevated privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.