CVE-2022-50917: ProtonVPN Windows Service Misconfiguration Enables Local SYSTEM-Level Takeover

Aegiron 9 mins0

Unquoted Service Path Vulnerability (WireGuard Service)

CVE ID: CVE-2022-50917
Product: ProtonVPN Windows Client
Affected Component: ProtonVPN WireGuard Windows Service
Affected Version: ProtonVPN Windows Client v1.26.0
Vulnerability Type: Unquoted Service Path
CWE: CWE-428 – Unquoted Search Path or Element
Attack Type: Local Privilege Escalation
Attack Vector: Local
User Interaction: Not Required
Privileges Required: Low (local user access)
CVSS v3.1 Score: 8.4 – High
Severity: High
Exploitability: Easy to Moderate (depends on filesystem permissions)
Exploit Availability: Public proof-of-concept write-ups available (educational / testing use only)

Executive Summary

This vulnerability exists because a Windows service used by ProtonVPN was configured with a file path that contains spaces but was not enclosed in quotation marks. On Windows systems, this can cause the operating system to accidentally execute the wrong program when starting the service.

If a local attacker can place a malicious executable in the right location, Windows may run that malicious file instead of the legitimate ProtonVPN service. Since services often run with very high privileges (commonly SYSTEM), this can allow the attacker to gain full control of the system.

This is not a remote attack. The attacker must already have local access to the machine, but the impact is serious because it can turn a low-privileged user into a full administrator.

Technical Explanation

On Windows, services are launched using a registry value called ImagePath, which defines the full path to the executable.
Example of a secure configuration:

"C:\Program Files\Vendor\Service Folder\service.exe"

In ProtonVPN v1.26.0, the WireGuard service was configured more like this:

C:\Program Files\ProtonVPN\WireGuard Service\wireguard.exe

Because the path:

  • contains spaces
  • is not wrapped in quotes

Windows parses it incorrectly.

How Windows Interprets This

When starting the service, Windows tries the following paths in order:

  1. C:\Program.exe
  2. C:\Program Files\ProtonVPN.exe
  3. C:\Program Files\ProtonVPN\WireGuard.exe
  4. Finally, the intended binary

If any one of these earlier paths exists and contains an executable, Windows will run it instead of the legitimate service binary.

How This Can Be Exploited

The following explanation is for defensive understanding and educational use only.

  1. Local access obtained
    The attacker already has a standard user account on the system (this could be via phishing, shared access, malware, or insider threat).
  2. Service enumeration
    The attacker lists Windows services and identifies one with an unquoted executable path containing spaces.
  3. Permission check
    The attacker checks whether they can write files into one of the directories Windows checks first (for example, C:\ or a misconfigured program folder).
  4. Malicious executable placement
    A malicious file such as Program.exe or ProtonVPN.exe is placed in a writable directory that Windows will check before the real service executable.
  5. Service start or reboot
    When the system reboots or the ProtonVPN service restarts, Windows executes the malicious binary.
  6. Privilege escalation achieved
    The malicious executable runs with the same privileges as the service (often NT AUTHORITY\SYSTEM).

Why This Vulnerability Is Dangerous

  • No user interaction is required once the malicious file is in place
  • Exploitation is reliable if directory permissions are weak
  • Results in full system compromise
  • Can be chained with other vulnerabilities or used as a persistence mechanism
  • Often overlooked because the service appears legitimate

MITRE ATT&CK Mapping

Tactic: Privilege Escalation
Technique: T1574.009 – Path Interception by Unquoted Path

This technique abuses how Windows resolves executable paths when quotation marks are missing.

Detection & Monitoring Guidance

Log Sources to Monitor

  • Endpoint Detection & Response (EDR)
  • Windows Security Logs
  • Sysmon (highly recommended)
  • File Integrity Monitoring
  • Registry Auditing

Key Detection Opportunities

1. Unexpected Executables

Look for .exe files appearing in:

  • C:\
  • C:\Program Files\
  • Any parent directory of a service executable

Especially suspicious if:

  • File is unsigned
  • File was recently created
  • File name resembles common fragments like Program.exe

2. Suspicious Process Creation

Alert when:

  • services.exe launches a binary from an unusual location
  • A service starts an executable outside its expected install directory
  • SYSTEM-level processes spawn shells or scripts

3. Registry Configuration Review

Audit:

HKLM\SYSTEM\CurrentControlSet\Services\*\ImagePath

Flag entries that:

  • Contain spaces
  • Are not enclosed in double quotes

Example Detection Logic

Condition:

  • Parent Process = services.exe
  • Executable Path ≠ known legitimate service binary
  • Executable located in root or parent directory

Action:

  • Raise high-severity alert
  • Isolate endpoint if suspicious behavior confirmed

Proof-of-Concept (PoC) Notes

  • Public PoC demonstrations exist showing this issue in ProtonVPN v1.26.0
  • These PoCs are intended only for testing and educational purposes
  • They demonstrate the service path hijacking behavior, not remote exploitation
  • Do not run PoCs on production systems

Remediation & Mitigation

Primary Fix (Strongly Recommended)

Upgrade ProtonVPN to the latest Windows version provided by Proton.

Official Upgrade / Patch Link:
👉 https://protonvpn.com/support/windows-vpn-app/

The updated client correctly quotes the service path and removes the vulnerability.

Additional Hardening Steps

  1. Audit all Windows services for unquoted paths
  2. Restrict write permissions on:
    • C:\
    • C:\Program Files\
    • Service-related directories
  3. Deploy EDR rules for service-based process execution anomalies
  4. Enable Sysmon for better process and file visibility
  5. Perform regular service configuration reviews

Indicators of Compromise (IoCs)

  • Presence of files like Program.exe in system root
  • Services launching unexpected executables
  • SYSTEM-level shells or scripts
  • New admin users created shortly after service restarts

Risk Assessment Summary

FactorAssessment
Ease of ExploitationModerate
Required AccessLocal user
ImpactFull system compromise
StealthHigh
Fix ComplexityLow

Final Takeaway

CVE-2022-50917 is a textbook example of how a small configuration mistake can lead to a major security issue. While the attack requires local access, the payoff is significant—full administrative control of the system.

The good news is that this vulnerability is easy to fix, easy to detect when you know what to look for, and completely preventable with proper service configuration and patching.

Keeping software up to date and routinely auditing Windows services for unquoted paths can eliminate an entire class of privilege escalation attacks.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.