CVE-2024-47856
Published: 24 November 2025
Summary
CVE-2024-47856 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Rsa Authentication Agent For Windows. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-47856 is a path interception vulnerability (CWE-23) in RSA Authentication Agent for Microsoft Windows versions before 7.4.7. It arises when service paths and shortcut paths contain one or more spaces without surrounding quotation marks, allowing Windows to resolve an executable from a higher-level directory instead of the intended one. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation without privileges or user interaction.
An unauthenticated attacker with network access can exploit this vulnerability by placing a malicious executable in a higher-level directory along the unquoted path used by the affected service or shortcut. Upon execution of the service or shortcut, Windows prioritizes the attacker's executable, enabling arbitrary code execution with the privileges of the RSA Authentication Agent process, which could result in high-impact confidentiality, integrity, and availability violations, such as full system compromise.
RSA advisories, including RSA-2024-13, detail the security update and recommend upgrading to version 7.4.7, available for download from the RSA community site. Practitioners should apply this patch promptly to affected systems to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55101
Vulnerability details
In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a…
more
higher-level directory of the path, and Windows will resolve that executable instead of the intended executable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a path interception issue due to unquoted paths with spaces in service and shortcut paths, directly matching T1574.009: Path Interception by Unquoted Path, enabling arbitrary code execution by placing a malicious executable in a higher-level directory.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the RSA Authentication Agent to version 7.4.7, eliminating the unquoted path vulnerability.
Mandates secure configuration settings, such as properly quoting service and shortcut paths containing spaces to block path interception.
Restricts execution to authorized software only via whitelisting, preventing malicious executables in higher-level directories from running even if path resolution fails.