Chromacam 4.0.3.0 Unquoted Service Path Privilege Escalation
Description
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =4.0.3.0
Patches
Vulnerability mechanics
Root cause
"The PsyFrameGrabberService binary path is not enclosed in quotes, causing Windows to interpret spaces as argument delimiters and enabling arbitrary code execution via path hijacking."
Attack vector
A local attacker who already has write access to `C:\`, `C:\Program Files (x86)\`, `C:\Program Files (x86)\Personify\`, or `C:\Program Files (x86)\Personify\ChromaCam\64\` can place a malicious executable named `Program.exe` or `PsyFrameGrabberService.exe` in one of those unquoted path directories [ref_id=1]. When the system boots, the service automatically starts as `LocalSystem`, and Windows will search the unquoted path segments in order, executing the attacker's planted file instead of the legitimate binary [ref_id=1].
Affected code
The vulnerable component is the PsyFrameGrabberService (display name: Personify Frame Transformer) in Chromacam 4.0.3.0. The service binary path is set to `C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe` without surrounding quotes, causing Windows to interpret spaces as argument separators [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. To remediate the vulnerability, the service binary path must be enclosed in double quotes (e.g., `"C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe"`) so that Windows treats the entire string as a single path rather than splitting on spaces [ref_id=1]. Without this change, any user who can write to a directory in the unquoted path can hijack the service.
Preconditions
- authAttacker must have write access to at least one directory in the unquoted service path (e.g., C:\, C:\Program Files (x86)\, C:\Program Files (x86)\Personify\, or C:\Program Files (x86)\Personify\ChromaCam\64\)
- configService must be configured to start automatically at boot (it is)
- networkAttacker must be local to the machine
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/51210mitreexploit
- www.vulncheck.com/advisories/chromacam-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- personifyinc.commitreproduct
- personifyinc.com/download/chromacammitreproduct
News mentions
0No linked articles in our index yet.