Network Inventory Advisor 5.0.26.0 Unquoted Service Path Privilege Escalation
Description
Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: = 5.0.26.0
Patches
Vulnerability mechanics
Root cause
"The service binary path is not enclosed in quotes, enabling Windows' space-delimited path resolution to execute an unintended executable placed in an intermediate directory."
Attack vector
The service binary path `C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe` is stored without quotes [ref_id=1]. When Windows Service Control Manager starts the service, it resolves the path by treating each space as a delimiter, causing it to attempt execution of `C:\Program.exe`, `C:\Program Files (x86)\ClearApps\Network.exe`, etc. A local attacker who can write to any of these intermediate directories can plant a malicious executable that will run with **LocalSystem** privileges when the service starts (auto-start is enabled) [ref_id=1]. No authentication beyond local filesystem access is required. An attacker with unprivileged access can place a payload in a directory like `C:\Program Files (x86)\ClearApps\Network.exe` to hijack the service startup.
What the fix does
The advisory does not include a vendor patch. The standard remediation for an unquoted service path vulnerability is to enclose the binary path in double quotes in the service configuration, e.g. `"C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe"`. This prevents the Service Control Manager from misinterpreting spaces as argument separators. Without vendor confirmation, administrators should manually apply this fix or restrict write permissions on all directories in the path to prevent malicious executable placement.
Preconditions
- authLocal user access to the Windows system where the service is installed
- inputAbility to write to an intermediate directory in the unquoted path (e.g., `C:\Program Files (x86)\ClearApps\`)
- configThe niaservice service has auto-start enabled, triggering execution on boot or restart
Reproduction
The exploit-db entry does not provide reproduction steps beyond showing the `sc qc niaservice` output that reveals the unquoted path. No full PoC script is included.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/47584mitreexploit
- www.vulncheck.com/advisories/network-inventory-advisor-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- www.network-inventory-advisor.commitreproduct
- www.network-inventory-advisor.com/download.htmlmitreproduct
News mentions
0No linked articles in our index yet.