CVE-2019-25271
Published: 05 February 2026
Summary
CVE-2019-25271 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Netgate (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25271 is an unquoted service path vulnerability in NETGATE Data Backup version 3.0.620, specifically affecting the NGDatBckpSrv Windows service configuration. Published on 2026-02-05, this issue falls under CWE-428 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential from local access.
A local attacker with low privileges can exploit the unquoted path by placing malicious executable files in specific directory locations traversed by the service. Successful exploitation allows injection and execution of arbitrary code with LocalSystem privileges, enabling full system compromise including high confidentiality, integrity, and availability impacts.
Advisories and related resources include the vendor site at http://www.netgate.sk/, a proof-of-concept exploit at https://www.exploit-db.com/exploits/47746, and a VulnCheck advisory at https://www.vulncheck.com/advisories/netgate-data-backup-ngdatbckpsrv-unquoted-service-path, which detail the vulnerability and exploitation methods.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19395
Vulnerability details
NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path directly matches T1574.009 Path Interception by Unquoted Path; exploitation yields SYSTEM-level code execution, mapping to T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for Windows services, including properly quoted executable paths to directly prevent exploitation of unquoted service path vulnerabilities like CVE-2019-25271.
Requires identification, reporting, and correction of flaws such as the unquoted service path in NGDatBckpSrv, enabling timely patches or configuration fixes to mitigate the vulnerability.
Vulnerability scanning detects unquoted service path issues in service configurations like NGDatBckpSrv, allowing for identification and subsequent remediation of CVE-2019-25271.