Cyber Resilience

CVE-2021-47845

HighPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47845 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Spy Emergency (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

Spy Emergency version 25.0.650 is affected by an unquoted service path vulnerability in its Windows service configurations. This flaw exists in the services associated with SpyEmergencyHealth.exe and SpyEmergencySrv.exe, where the service binary paths are not properly quoted, allowing Windows to search for executable files in multiple directories during service execution.

Local attackers with low privileges can exploit this vulnerability by placing a malicious executable in a directory that is searched before the legitimate service path, such as during system startup or service restart. Successful exploitation enables code execution with elevated SYSTEM privileges, potentially leading to high confidentiality, integrity, and availability impacts, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories and references, including those from VulnCheck and Exploit-DB, document the issue and provide a proof-of-concept exploit at https://www.exploit-db.com/exploits/49997. The vendor site at https://www.spy-emergency.com/ is also referenced, though specific patch details are not detailed in available information.

EU & UK References

Vulnerability details

Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during…

more

system startup or service restart.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unquoted service path in Windows services directly enables path interception by unquoted path (T1574.009) for local privilege escalation to SYSTEM (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-50914Shared CWE-428
CVE-2020-36982Shared CWE-428
CVE-2020-36987Shared CWE-428
CVE-2021-47825Shared CWE-428
CVE-2020-37059Shared CWE-428
CVE-2020-36953Shared CWE-428
CVE-2022-50935Shared CWE-428
CVE-2021-47864Shared CWE-428
CVE-2020-37060Shared CWE-428
CVE-2019-25308Shared CWE-428

Affected Assets

Spy Emergency
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for Windows services, including properly quoting executable paths to directly prevent unquoted service path hijacking.

prevent

Requires timely identification, reporting, and correction of flaws like unquoted service paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe.

detect

Vulnerability scanning and monitoring identifies unquoted service path vulnerabilities in service configurations for exploitation assessment.

References