Iperius Remote 1.7.0 Unquoted Service Path Elevation of Privilege
Description
Iperius Remote 1.7.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation path. When installed from directories containing spaces, attackers can place malicious executables in the path to be executed with elevated privileges during service startup or system reboot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: = 1.7.0
Patches
Vulnerability mechanics
Root cause
"The IperiusRemote service is installed with an unquoted service binary path, causing Windows to interpret spaces in the path as separators and potentially execute a different executable placed earlier in the path."
Attack vector
An attacker must be a local user on a system where the Iperius Remote 1.7.0 service was installed from a directory whose path contains spaces (e.g., "C:\Random Folder With Spaces") [ref_id=1]. Because the service binary path is unquoted, Windows' CreateProcess will search each space-delimited segment in order. If the attacker places a malicious executable named "Random.exe" or "Folder.exe" (matching one of the path segments) into a location that is searched before the real "IperiusRemote.exe", that malicious binary will be launched instead when the service starts or the system reboots [ref_id=1]. The service runs as LocalSystem, so the attacker's code gains SYSTEM privileges [ref_id=1].
Affected code
The vulnerable code path is the service installation routine of Iperius Remote 1.7.0. The exploit-db entry shows via `sc qc` that the service binary path is set to `C:\Random Folder With Spaces\IperiusRemote.exe` without surrounding quotes [ref_id=1]. No patch or source code is provided in the bundle; the vulnerability is in the installer's failure to quote the service binary path.
What the fix does
No patch is published in the bundle. The advisory [ref_id=1] implicitly recommends that the vendor should quote the service binary path in the Windows service registration (e.g., `"C:\Random Folder With Spaces\IperiusRemote.exe"`). Quoting the path ensures the entire string is treated as a single executable name, preventing Windows from interpreting spaces as separators and eliminating the opportunity for a local attacker to hijack execution.
Preconditions
- configIperius Remote 1.7.0 must have been installed from a directory with spaces in its path (e.g., 'C:\Random Folder With Spaces').
- authThe attacker must be an authorized but non-privileged local user on the Windows system.
- inputThe attacker must be able to write a malicious executable to a location that matches one of the path segments before the real service binary.
Reproduction
1. Install Iperius Remote 1.7.0 from a directory with spaces in its path (e.g., "C:\Random Folder With Spaces"). 2. Verify the unquoted service path: `sc qc IperiusRemotesvc` — observe `BINARY_PATH_NAME` is `C:\Random Folder With Spaces\IperiusRemote.exe` without quotes [ref_id=1]. 3. Place a malicious executable named `Random.exe` or `Folder.exe` (matching a path segment) in a location that will be resolved before the real binary. 4. Reboot the system or restart the service; the malicious binary executes with SYSTEM privileges [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/40427mitreexploit
- www.vulncheck.com/advisories/iperius-remote-unquoted-service-path-elevation-of-privilegemitrethird-party-advisory
- www.iperiusremote.commitreproduct
- www.iperiusremote.com/download.aspxmitreproduct
News mentions
0No linked articles in our index yet.