Cyber Resilience

CVE-2021-47787

HighPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47787 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Totalav Totalav. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47787 is an unquoted service path vulnerability in TotalAV version 5.15.69. The issue affects multiple system services that run with LocalSystem privileges, stemming from CWE-428. Attackers can exploit the service path configuration by placing malicious executables in specific unquoted path segments, potentially leading to SYSTEM-level access.

The vulnerability carries a CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. A local attacker with low privileges can exploit it with low complexity and no user interaction required, achieving privilege escalation to SYSTEM-level access through the hijacked service execution.

Advisories and references detail the issue, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/50314, the vendor site at https://www.totalav.com, and a VulnCheck advisory at https://www.vulncheck.com/advisories/totalav-unquoted-service-path. These resources provide further technical details on the vulnerability and exploitation.

EU & UK References

Vulnerability details

TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Direct unquoted service path (CWE-428) enables path interception by placing a malicious binary in an intermediate directory segment, hijacking LocalSystem service execution for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428
CVE-2021-47790Shared CWE-428

Affected Assets

totalav
totalav
5.15.69

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the unquoted service path in TotalAV services, directly remediating the vulnerability to prevent privilege escalation.

prevent

CM-6 mandates secure configuration settings for system components, including properly quoting service paths to block executable hijacking in unquoted segments.

prevent

AC-6 enforces least privilege by requiring services to run with minimal necessary privileges rather than LocalSystem, limiting the impact of successful path hijacking.

References