Windows Firewall Control 4.8.6.0 Unquoted Service Path Privilege Escalation
Description
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: = 4.8.6.0
Patches
Vulnerability mechanics
Root cause
"Missing quotes around the service binary path allows Windows to interpret spaces as argument separators, enabling a privilege escalation via path traversal."
Attack vector
A local attacker places a malicious executable (e.g., `C:\Program.exe` or `C:\Program Files\Windows.exe`) in an unquoted directory of the service path. When the `_wfcs` service restarts or the system reboots, Windows' CreateProcess scans the unquoted path left-to-right and executes the attacker's file instead of the genuine `wfcs.exe`. Since the service runs as `LocalSystem` (SYSTEM), the malicious code gains the highest Windows privilege level.
Affected code
The vulnerable service is `_wfcs`, whose binary path is `C:\Program Files\Windows Firewall Control\wfcs.exe` (an unquoted path). The installer and service registration for Windows Firewall Control 4.8.6.0 lack quotes, creating the escalation vector.
What the fix does
No patch file is included in the bundle. The vendor should wrap the service binary path in double quotes (`"C:\Program Files\Windows Firewall Control\wfcs.exe"`), which prevents Windows from interpreting spaces as argument delimiters and eliminates the unintended search order that allows arbitrary executables to be loaded. Until a fix is applied, removing write permissions for non-administrative users on the `C:\Program Files\Windows Firewall Control` directory chain also mitigates the risk.
Preconditions
- inputThe attacker must have the ability to write an executable file to a directory that appears earlier in the unquoted path traversal order (e.g., `C:\Program.exe` or `C:\Program Files\Windows.exe`).
- configThe service `_wfcs` must be configured with an unquoted path — the default installation of version 4.8.6.0 does not add quotes around the binary path.
- authThe attacker must be able to trigger a service restart (or wait for a system reboot) after placing the malicious file.
Reproduction
The public PoC shows `sc qc _wfcs` output confirming the unquoted path `C:\Program Files\Windows Firewall Control\wfcs.exe`. An attacker can create a malicious `C:\Program.exe` (or another executable in an earlier directory component), then restart the service or reboot; the attacker's executable will run with SYSTEM privileges. See [ref_id=1] for the full PoC.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/40443mitreexploit
- www.vulncheck.com/advisories/windows-firewall-control-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- www.binisoft.orgmitreproduct
News mentions
0No linked articles in our index yet.