CVE-2019-25305
Published: 06 February 2026
Summary
CVE-2019-25305 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Inforprograma (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2019-25305 is an unquoted service path vulnerability affecting JumpStart version 0.6.0.0. The issue resides in the jswpbapi service, which runs with LocalSystem privileges. This misconfiguration allows the service path containing spaces to be exploited, enabling arbitrary code execution.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required. Successful exploitation grants the attacker elevated system permissions, resulting in high confidentiality, integrity, and availability impacts (CVSS 7.8). The attacker can inject and execute malicious code in the context of LocalSystem.
Advisories and related resources, including an exploit at https://www.exploit-db.com/exploits/47549, details at https://www.inforprograma.net/, and a vulnerability advisory at https://www.vulncheck.com/advisories/jumpstart-jswpbapi-unquoted-service-path, provide further technical information on the issue.
An exploit is publicly available, indicating potential for real-world abuse by local attackers on affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19408
Vulnerability details
JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in LocalSystem service directly matches Path Interception by Unquoted Path (T1574.009), enabling local privilege escalation via malicious binary placement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates secure configuration settings for services, including properly quoted executable paths with spaces, directly preventing exploitation of unquoted service path vulnerabilities.
Enforces least privilege for services, limiting the impact of code execution even if an unquoted service path is exploited by requiring non-LocalSystem accounts where possible.
Requires vulnerability scanning that identifies unquoted service path misconfigurations like CVE-2019-25305 for timely remediation.