CVE-2021-47787
Published: 16 January 2026
Summary
CVE-2021-47787 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Totalav Totalav. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47787 is an unquoted service path vulnerability in TotalAV version 5.15.69. The issue affects multiple system services that run with LocalSystem privileges, stemming from CWE-428. Attackers can exploit the service path configuration by placing malicious executables in specific unquoted path segments, potentially leading to SYSTEM-level access.
The vulnerability carries a CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. A local attacker with low privileges can exploit it with low complexity and no user interaction required, achieving privilege escalation to SYSTEM-level access through the hijacked service execution.
Advisories and references detail the issue, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/50314, the vendor site at https://www.totalav.com, and a VulnCheck advisory at https://www.vulncheck.com/advisories/totalav-unquoted-service-path. These resources provide further technical details on the vulnerability and exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2998
Vulnerability details
TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unquoted service path (CWE-428) enables path interception by placing a malicious binary in an intermediate directory segment, hijacking LocalSystem service execution for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws like the unquoted service path in TotalAV services, directly remediating the vulnerability to prevent privilege escalation.
CM-6 mandates secure configuration settings for system components, including properly quoting service paths to block executable hijacking in unquoted segments.
AC-6 enforces least privilege by requiring services to run with minimal necessary privileges rather than LocalSystem, limiting the impact of successful path hijacking.