CVE-2022-50917
Published: 13 January 2026
Summary
CVE-2022-50917 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Proton Protonvpn. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-50917 is an unquoted service path vulnerability in ProtonVPN version 1.26.0, specifically affecting its WireGuard service configuration. Published on 2026-01-13, this issue falls under CWE-428 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential from local access.
Local attackers with low privileges can exploit the vulnerability by placing malicious executables in specific filesystem locations that align with the unquoted service path. During WireGuard service startup, the system may execute the attacker's binary instead of the legitimate one, enabling arbitrary code execution and privilege escalation.
Advisories and related resources provide further details on the issue, including the VulnCheck advisory at https://www.vulncheck.com/advisories/protonvpn-unquoted-service-path, a proof-of-concept exploit at https://www.exploit-db.com/exploits/50837, and ProtonVPN's official site at https://protonvpn.com/.
A public exploit is available on Exploit-DB, highlighting the vulnerability's exploitability in real-world scenarios.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2630
Vulnerability details
ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated…
more
privileges during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path directly enables path interception by unquoted path (T1574.009) during service startup, resulting in arbitrary code execution for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
CM-6 mandates secure configuration settings for system components like services, directly preventing unquoted service path vulnerabilities by requiring quoted paths in WireGuard configurations.
SI-2 requires timely identification, reporting, and correction of flaws such as CVE-2022-50917, mitigating the unquoted service path issue through patching or configuration fixes.
RA-5 employs vulnerability scanning to detect configuration weaknesses like unquoted service paths in ProtonVPN's WireGuard service, enabling proactive remediation.