Privilege escalation through unquoted service binary path on Cloudflare WARP for Windows
Description
Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with non-administrative privileges can become an administrator by abusing the unquoted service path issue. Since version 1.2.2695.1, the vulnerability was fixed by adding quotes around the service's binary path. This issue affects Cloudflare WARP for Windows, versions prior to 1.2.2695.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cloudflare WARP for Windows contains an unquoted service path vulnerability allowing local privilege escalation to administrator.
Vulnerability
Cloudflare WARP for Windows versions prior to 1.2.2695.1 have an unquoted service path vulnerability. The service binary path for the WARP service lacks quotes, enabling a local attacker to insert a malicious executable into an intermediate path that Windows will execute with SYSTEM privileges [1].
Exploitation
An attacker with non-administrative access to the system can place a crafted executable named to match a path segment (e.g., C:\Program.exe) that Windows will execute before the legitimate service binary. No user interaction is required beyond the ability to write to a directory in the unquoted path [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, achieving full privilege escalation to administrator [1].
Mitigation
The vulnerability is fixed in Cloudflare WARP for Windows version 1.2.2695.1 by adding quotes around the service binary path. Users should update to this version or later [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.2.2695.1
- Cloudflare/Cloudflare WARP for Windowsv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.