CVE-2022-50918
Published: 13 January 2026
Summary
CVE-2022-50918 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Vive (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-50918 is an unquoted service path vulnerability (CWE-428) affecting VIVE Runtime Service version 1.0.0.4. This flaw occurs in the service's binary path configuration, enabling local users to execute arbitrary code with elevated system privileges. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high impact on confidentiality, integrity, and availability from a local attack vector requiring no privileges.
A local attacker can exploit this vulnerability by placing a malicious executable in specific system directories that the unquoted service path searches during startup. When the VIVE Runtime Service (ViveAgentService) launches, it executes the attacker's binary instead, granting LocalSystem-level access and full system compromise.
Advisories, including the VulnCheck report at vulncheck.com/advisories/vive-runtime-service-viveagentservice-unquoted-service-path, provide details on the issue, while VIVE developer resources at developer.vive.com/resources/downloads/ may offer patches or updates. A proof-of-concept exploit is publicly available on Exploit-DB at exploit-db.com/exploits/50824.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2628
Vulnerability details
VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem…
more
access during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) directly enables path interception by placing a malicious binary in a higher directory searched at service startup, resulting in LocalSystem execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for services, directly preventing unquoted service paths that enable execution of arbitrary code from unintended directories.
Requires identification, reporting, and timely remediation of flaws like unquoted service paths via patches or configuration corrections.
Mitigates privilege escalation impact by enforcing least privilege for services, limiting damage even if a malicious executable is executed via the unquoted path.