CVE-2022-39959

Vulnerability

Panini Everest Engine version 2.0.4 on Windows contains an unquoted service path vulnerability. The service EverestEngine.exe is configured with an executable path using a quoted string that does not include the entire directory path, i.e., %PROGRAMDATA%\Panini\Everest Engine\EverestEngine.exe. Because the path contains spaces and is not wrapped in quotes, Windows interprets the path as multiple parts. An unprivileged user can create a file named Everest.exe in the unquoted parent directory %PROGRAMDATA%\Panini, which will be executed instead of the intended EverestEngine.exe when the service starts or the system reboots [2].

Exploitation

An attacker with local unprivileged access to the system only needs to place a malicious executable named Everest.exe into the %PROGRAMDATA%\Panini folder. The attacker must then either wait for a system reboot or manually restart the Everest Engine service (which requires some limited privileges, but the initial placement does not). Once the service runs, Windows resolves the unquoted path and executes the attacker's Everest.exe before reaching the legitimate EverestEngine.exe in the subdirectory [2].

Impact

Successful exploitation results in the attacker's code running with SYSTEM privileges, because the Everest Engine service runs under the SYSTEM account. This allows a complete compromise of the affected Windows system, including full access to all files, processes, and sensitive data [2].

Mitigation

According to the vendor website reference [1], Panini has not disclosed a security update or patch for CVE-2022-39959 as of the available publication date. The affected version 2.0.4 is explicitly vulnerable; users should contact Panini for a fix or consider applying the principle of least privilege and auditing the %PROGRAMDATA%\Panini directory to prevent unprivileged writes. No workaround is documented in the provided references [1][2].