CVE-2019-25287
Published: 05 February 2026
Summary
CVE-2019-25287 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2019-25287 is an unquoted service path vulnerability in Adaware Web Companion version 4.8.2078.3950, specifically affecting the WCAssistantService. The flaw stems from an unquoted path at C:\Program Files (x86)\Lavasoft\Web Companion\Application\, which enables local users to potentially execute arbitrary code with elevated privileges. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-428 (Unquoted Search Path or Element).
A local attacker with low privileges can exploit this vulnerability by placing a malicious executable in a directory that the system searches before the legitimate service binary due to the unquoted path. Upon WCAssistantService startup, the injected code executes with LocalSystem privileges, allowing high-impact compromise of confidentiality, integrity, and availability on the affected system.
Advisories such as the VulnCheck report detail the unquoted service path issue in WCAssistantService, while Exploit-DB hosts a proof-of-concept exploit at exploits/47597. The vendor's site at webcompanion.com provides further context on the software, though specific patch details are not outlined in the CVE record.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19386
Vulnerability details
Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code…
more
that would execute with LocalSystem privileges during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in WCAssistantService directly enables path interception for privilege escalation to LocalSystem via malicious executable placement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for Windows services, including properly quoted executable paths to directly prevent unquoted service path vulnerabilities like CVE-2019-25287.
Requires identification, reporting, and timely remediation of flaws such as the unquoted service path in Adaware Web Companion's WCAssistantService.
Restricts execution to authorized software only, preventing the malicious executable placed by local attackers from running during service startup exploitation.