Wise Care 365 4.27 and Wise Disk Cleaner 9.29 Unquoted Service Path Privilege Escalation
Description
Wise Care 365 4.27 and Wise Disk Cleaner 9.29 contain unquoted service path vulnerabilities in the WiseBootAssistant and SpyHunter 4 Service respectively, allowing local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that execute during service startup or system reboot with elevated privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: = 9.29
- Range: = 4.27
Patches
Vulnerability mechanics
Root cause
"Unquoted service binary path allows Windows to interpret spaces as argument separators, enabling an attacker to place a malicious executable earlier in the path resolution order."
Attack vector
A local non-privileged user can exploit the unquoted service path by placing a malicious executable at a path that Windows will resolve before the intended binary. For example, a file named `C:\Program.exe` or `C:\Program Files\Wise.exe` would be executed instead of the quoted path. Because both services run as `LocalSystem`, the attacker's code gains SYSTEM privileges [ref_id=1]. The attack requires the ability to write to a location in the system root path that is searched during service startup or system reboot [ref_id=1].
Affected code
The vulnerable services are WiseBootAssistant (installed by Wise Care 365 4.27) and SpyHunter 4 Service (installed by Wise Disk Cleaner 9.29). Both services have unquoted binary path names: `C:\Program Files\Wise\Wise Care 365\BootTime.exe` and `C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe` [ref_id=1].
What the fix does
The advisory does not include a patch. To remediate the vulnerability, the vendor should enclose the binary path in quotes (e.g., `"C:\Program Files\Wise\Wise Care 365\BootTime.exe"`) so that Windows treats the entire string as a single path and does not attempt to interpret spaces as separators [ref_id=1]. Without a fix, users must manually ensure service binary paths are quoted or restrict write permissions on the affected directories.
Preconditions
- inputThe attacker must have local access to the system and be able to write a malicious executable to a directory that is part of the unquoted path resolution (e.g., `C:\` or `C:\Program Files\`).
- configThe vulnerable services (WiseBootAssistant or SpyHunter 4 Service) must be configured to auto-start, which they are by default.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/40417mitreexploit
- www.vulncheck.com/advisories/wise-care-365-and-wise-disk-cleaner-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- www.wisecleaner.commitreproduct
- www.wisecleaner.com/wise-disk-cleaner.htmlmitreproduct
News mentions
0No linked articles in our index yet.