Cyber Posture

CVE-2021-47787

HighPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47787 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Totalav Totalav. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws like the unquoted service path in TotalAV services, directly remediating the vulnerability to prevent privilege escalation.

CM-6 Configuration Settings good match
prevent

CM-6 mandates secure configuration settings for system components, including properly quoting service paths to block executable hijacking in unquoted segments.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege by requiring services to run with minimal necessary privileges rather than LocalSystem, limiting the impact of successful path hijacking.

NVD Description

TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration.

Deeper analysisAI

CVE-2021-47787 is an unquoted service path vulnerability in TotalAV version 5.15.69. The issue affects multiple system services that run with LocalSystem privileges, stemming from CWE-428. Attackers can exploit the service path configuration by placing malicious executables in specific unquoted path segments, potentially leading to SYSTEM-level access.

The vulnerability carries a CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. A local attacker with low privileges can exploit it with low complexity and no user interaction required, achieving privilege escalation to SYSTEM-level access through the hijacked service execution.

Advisories and references detail the issue, including a proof-of-concept exploit at https://www.exploit-db.com/exploits/50314, the vendor site at https://www.totalav.com, and a VulnCheck advisory at https://www.vulncheck.com/advisories/totalav-unquoted-service-path. These resources provide further technical details on the vulnerability and exploitation.

Details

CWE(s)
CWE-428

Affected Products

totalav
totalav
5.15.69

CVEs Like This One

CVE-2019-25276Shared CWE-428
CVE-2020-37098Shared CWE-428
CVE-2021-47809Shared CWE-428
CVE-2024-57276Shared CWE-428
CVE-2020-37100Shared CWE-428
CVE-2021-47790Shared CWE-428
CVE-2020-36976Shared CWE-428
CVE-2021-47833Shared CWE-428
CVE-2021-47861Shared CWE-428
CVE-2021-47896Shared CWE-428

References