CVE-2021-47880: A Legacy Windows Misconfiguration That Still Enables SYSTEM-Level Privilege

Aegiron 10 mins0

CVE-2021-47880 — Realtek Wireless LAN Utility

Vulnerability Type: Unquoted Service Path
Affected Component: Realtek Wireless LAN Utility service (Realtek11nSU, RtlService.exe)
Impact: Local Privilege Escalation
Attack Vector: Local
Privileges Required: Low
User Interaction: None

Risk Overview

A local privilege escalation vulnerability was identified in the Realtek Wireless LAN Utility due to an unquoted service path configuration. When the Windows service associated with the utility is registered with a file path that contains spaces and is not enclosed in quotation marks, Windows may incorrectly interpret the executable path. Under certain conditions, this behavior allows a locally authenticated, low-privileged user to execute arbitrary code with SYSTEM-level privileges.

This issue is not remotely exploitable. However, in environments where standard users have local access (workstations, shared systems, VDI images), the vulnerability presents a high risk, as SYSTEM-level access grants full control over the affected machine.

CVSS & Severity

  • CVSS v3.1 Base Score: 7.8
  • Severity: High
  • Attack Complexity: Low
  • Exploitability: High (once local access is available)

The high score is driven by the potential for full compromise of confidentiality, integrity, and availability of the system after exploitation.

Technical Description

On Windows systems, services are launched using a configured executable path stored in the registry under:

HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath

In the affected Realtek Wireless LAN Utility, the service path resembles:

C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe

Because this path:

  • Contains spaces, and
  • Is not enclosed in quotation marks,

Windows may attempt to execute the path in segments during service startup, following its internal search order. For example, Windows may attempt to run:

C:\Program.exe

before resolving the intended executable.

If a malicious executable with a matching name is placed earlier in the search order and the service is started or restarted, that executable will be run in the context of the service account, which is typically LocalSystem.

How Exploitation Can Occur

  1. Local access to the system is obtained using a standard (non-administrative) user account.
  2. The system is inspected for services with unquoted executable paths that contain spaces.
  3. A writable directory is identified in the service path resolution chain (for example, the root of the system drive if permissions are misconfigured).
  4. A malicious executable is placed in that directory with a name that Windows will attempt to execute first.
  5. When the vulnerable service is restarted (manually, automatically, or during system boot), the malicious executable is launched instead of the legitimate Realtek service binary.
  6. Code execution is achieved with SYSTEM-level privileges, resulting in full local compromise.

No user interaction is required, and exploitation relies entirely on Windows service path parsing behavior.

Proof of Concept & Exploit Availability

A public proof-of-concept (PoC) demonstrating this vulnerability exists and is widely documented in security research communities. The PoC focuses on:

  • Identifying the vulnerable service
  • Confirming the unquoted path
  • Demonstrating how a crafted executable can be executed with elevated privileges

MITRE Mapping

  • CWE-428: Unquoted Search Path or Element
  • MITRE ATT&CK Technique:
    • T1574.009 – Path Interception by Unquoted Path
  • ATT&CK Tactic: Privilege Escalation

Detection & Identification Methods

1. Service Configuration Review

Systems should be audited for Windows services that:

  • Contain spaces in their executable paths, and
  • Are not wrapped in quotation marks

This can be done using PowerShell or WMIC during routine security hygiene checks.

2. Registry Monitoring

Monitoring should be applied to:

HKLM\SYSTEM\CurrentControlSet\Services\

Specifically, alerts should trigger when:

  • New services are created with unquoted paths
  • Existing service ImagePath values are modified

3. File Creation Monitoring

Suspicious activity may include:

  • Creation of executable files in high-risk locations such as:
    • C:\
    • C:\Program Files\
    • C:\Program Files (x86)\
  • Executable creation performed by non-administrative users

4. Process Execution Monitoring

Indicators of exploitation may include:

  • Unexpected executables launched by services.exe
  • Service-related processes spawning shells or unknown binaries
  • Service restarts followed by anomalous outbound network connections

Endpoint Detection & Response (EDR) solutions and Sysmon logs are particularly effective for this type of detection.

Example Detection Logic

  • Alert when services.exe launches a binary that does not match the expected service executable.
  • Alert when executable files are written to system root directories by standard users.
  • Correlate service restart events with new executable creation in parent directories.

Payloads Commonly Observed in Abuse Scenarios

When exploited, attackers typically deploy:

  • Reverse shells
  • Local administrator account creation
  • Persistent backdoors or scheduled tasks
  • Credential harvesting tools

Because execution occurs as SYSTEM, even very small payloads can result in complete system takeover.

Recommended Remediation & Mitigation

1. Apply Vendor Updates (Preferred)

The most reliable mitigation is to update the Realtek Wireless LAN Utility to a version where the service path is correctly quoted.

Official Vendor Download / Update Page:
https://www.realtek.com/Download/Index?cate_id=203&menu_id=297

Updates should always be obtained from Realtek directly or from the system OEM if Realtek components are bundled with device-specific drivers.

2. Manual Configuration Hardening (If Update Is Not Immediately Possible)

  • The service executable path should be enclosed in quotation marks.
  • Directory permissions should be reviewed to ensure non-administrative users cannot write to parent directories in service paths.
  • Unused or unnecessary vendor utilities should be disabled or removed.

3. Preventive Controls

  • Regularly audit all Windows services for unquoted paths.
  • Enforce least-privilege permissions on system directories.
  • Implement application control policies to block unauthorized executables.
  • Monitor service creation and modification events.

Logging Sources to Enable

  • Windows Security Event Log (process creation, service changes)
  • Windows System Event Log (service start/stop)
  • Sysmon (process creation, file creation, image load)
  • EDR / Antivirus telemetry
  • SIEM correlation rules for service abuse patterns

Final Takeaway

CVE-2021-47880 represents a classic but still highly effective local privilege escalation weakness. While the issue is simple in nature, it remains dangerous due to how commonly affected utilities are deployed and how often service configurations are overlooked.

When combined with weak directory permissions or insufficient monitoring, this vulnerability can be reliably abused by attackers after initial access. Proper patching, service hardening, and routine audits are sufficient to fully mitigate the risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.