CVE-2021-43457

Vulnerability

bVPN version 2.5.1 suffers from an unquoted service path vulnerability in the waselvpnserv service. The service binary path is configured as C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe without surrounding quotes [2]. This allows Windows to interpret spaces in the path as separators, potentially executing a different executable placed earlier in the path hierarchy. The service runs with LocalSystem privileges and is set to auto-start [2].

Exploitation

An attacker with local access to the system can exploit this vulnerability by placing a malicious executable in a location that Windows will search before the intended binary. For example, creating a file named C:\Program.exe or C:\Program Files (x86)\bVPN.exe will cause the service to execute that file instead of the legitimate waselvpnserv.exe [1][2]. No additional authentication is required beyond standard user privileges. The attacker can then restart the service or wait for a system reboot to trigger execution.

Impact

Successful exploitation results in local privilege escalation to SYSTEM level, granting the attacker full control over the affected Windows system. This includes the ability to execute arbitrary code, install programs, and access or modify any data [1][2].

Mitigation

As of the publication date, no official patch has been released by the vendor (carolcoral.github.io) for bVPN 2.5.1 [2]. The software may be end-of-life. A workaround is to manually quote the service binary path using the sc config command: sc config waselvpnserv binPath="\"C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe\"". Alternatively, uninstalling bVPN eliminates the vulnerability. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.