CVE-2024-24722
Description
An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unquoted service path in 12d Synergy Server and File Replication Server allows local privilege escalation; fixed in versions 4.3.10.192, 5.1.5.221, 5.1.6.235.
Vulnerability
CVE-2024-24722 is an unquoted service path vulnerability affecting the 12d Synergy Server and 12d Synergy File Replication Server executable service paths. When a service path contains spaces and is not enclosed in quotation marks, Windows attempts to launch the program by matching the shortest path first. For example, a path like C:\Program Files (x86)\12d\12d Synergy\12dSynergyServerservice.exe causes Windows to try executing C:\program.exe first [2]. This issue impacts all versions of 12d Synergy Server and 12d Synergy File Replication Server prior to the fix releases [2].
Exploitation
An attacker must have local access to the server to exploit this vulnerability [2]. The attacker would place a malicious executable at a location that Windows will try to run before the intended service executable. For instance, placing a malicious program.exe in C:\ would cause that file to execute as the service, with privileges of the service account [2]. The attack requires the ability to write to a directory along the unquoted path, which in many configurations is achievable by a low-privileged local user, leading to potential privilege escalation.
Impact
Successful exploitation allows an attacker to achieve privilege escalation by running an arbitrary executable with the same privileges as the affected service. This could lead to full compromise of the server, including unauthorized access to sensitive data, modification of system configurations, and denial of service. Cloud customers are not affected, as the issue has already been resolved in the cloud environment [2].
Mitigation
The vulnerability is fixed in versions 4.3.10.192, 5.1.5.221, and 5.1.6.235, released on 2024-02-19 [2]. Administrators should upgrade to one of these versions or later. As a temporary workaround, the service binary path can be manually quoted using the sc config command. For example, sc config "12dSynergyServer" binPath= "\"C:\Program Files (x86)\12d\12d Synergy\4.0\Server\12dSynergyServerService.exe\"" and restart the service [2]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of February 2024.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 12d/Synergy Server and File Replication Serverdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.