CVE-2021-47780
Published: 16 January 2026
Summary
CVE-2021-47780 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Macro-Expert Macro Expert. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47780 is an unquoted service path vulnerability in Macro Expert 4.7. The issue stems from an improperly configured service path, enabling local users to potentially execute arbitrary code with elevated system privileges. Attackers can inject malicious executables into the path, which are then run with LocalSystem permissions during service startup. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-428 (Unquoted Search Path).
The vulnerability can be exploited by local users with low privileges, requiring low attack complexity and no user interaction. An attacker gains the ability to execute code as LocalSystem upon service restart or boot, achieving high impacts on confidentiality, integrity, and availability, effectively compromising the entire system.
Advisories and resources include the Vulncheck advisory at https://www.vulncheck.com/advisories/macro-expert-unquoted-service-path, a proof-of-concept exploit at https://www.exploit-db.com/exploits/50431, and the vendor site at http://www.macro-expert.com/.
A publicly available exploit on Exploit-DB indicates potential for real-world local privilege escalation attacks against affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3037
Vulnerability details
Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem…
more
permissions during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path directly enables path interception for privilege escalation to LocalSystem via malicious executable placement in service binary path.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for services, including properly quoting executable paths to directly prevent exploitation of unquoted service path vulnerabilities.
Requires identification, reporting, and timely remediation of flaws like the unquoted service path vulnerability through patches or configuration fixes.
Mandates least privilege for service accounts, limiting the impact of arbitrary code execution gained via the unquoted service path.