Matrix42 Remote Control Host 3.20.0031 Unquoted Path Privilege Escalation
Description
Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can place a malicious executable in the Program Files directory with a crafted name to be executed by the service during startup, gaining elevated privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: 3.20.0031
Patches
Vulnerability mechanics
Root cause
"The BINARY_PATH_NAME values for the FastViewerRemoteService and FastViewerRemoteProxy services are unquoted, causing Windows to interpret the space in the path as a delimiter and search for an alternate executable."
Attack vector
A local unprivileged user can exploit the unquoted service path to achieve privilege escalation to SYSTEM. By placing a malicious executable named `Remote.exe` inside `C:\Program Files (x86)\Matrix42\`, the Windows service control manager will interpret the space in the path and execute `Remote.exe` instead of the intended binary [ref_id=1]. The attacker then restarts the affected service or reboots the machine, and the crafted executable runs with LocalSystem privileges [CWE-428 — unquoted search path or component].
Affected code
The vulnerability affects the Matrix42 Remote Control Host version 3.20.0031, specifically the **FastViewerRemoteService** and **FastViewerRemoteProxy** Windows services. Both services have their `BINARY_PATH_NAME` set to an unquoted path under `C:\Program Files (x86)\Matrix42\Remote Control Host\`, such as `FastRemoteService.exe` and `FastProxy.exe` [ref_id=1].
What the fix does
The advisory recommends manually adding quotation marks around the ImagePath registry value for both services under `HKLM\SYSTEM\CurrentControlSet\services`. Adding quotes ensures that the full path — including spaces — is treated as a single string, preventing Windows from searching for an executable named `Remote.exe` in the parent directory [ref_id=1]. No vendor patch is referenced; the fix is a manual registry edit.
Preconditions
- configThe attacker must have local access to the Windows system and the ability to write files to `C:\Program Files (x86)\Matrix42\` (or another directory along the unquoted path).
- inputThe FastViewerRemoteService must be started (e.g., upon boot or manually) after the malicious executable is placed.
- authThe service runs under the LocalSystem account, granting SYSTEM privileges to the executed binary.
Reproduction
1. Place `notepad.exe` (or a malicious executable) in `C:\Program Files (x86)\Matrix42\` and rename it to `Remote.exe`. 2. Restart the service (e.g., `sc stop FastViewerRemoteService && sc start FastViewerRemoteService`) or reboot the machine. 3. Observe that `Remote.exe` executes with SYSTEM privileges [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/39908mitreexploit
- www.vulncheck.com/advisories/matrix42-remote-control-host-unquoted-path-privilege-escalationmitrethird-party-advisory
- www.matrix42.commitreproduct
News mentions
0No linked articles in our index yet.