Unquoted Service Path Privilege Escalation in VX Search

VX Search 13.5.28 is vulnerable to local privilege escalation through unquoted service paths in both its Server and Enterprise service implementations. When a Windows service is registered with an unquoted executable path containing spaces (e.g., C:\Program Files\VX Search\vxsearch.exe), the operating system attempts to locate the executable by testing progressively shorter path segments. An attacker with local file system access can place a malicious executable in a parent directory—such as C:\Program Files\vxsearch.exe—and have it execute with LocalSystem privileges when the service restarts. This vulnerability affects any organization running VX Search 13.5.28 and is particularly dangerous because it requires no network access, only local system presence, and provides a direct path to system-level compromise.

While MITRE ATT&CK mapping is not available for this specific CVE, detection focuses on the foundational techniques behind privilege escalation and persistence. Casky's Claude AI-powered analysis would detect anomalous executable placement in Program Files directories and unusual service restart behaviors—patterns consistent with CWE-428 (Unquoted Search Path or Element). A practitioner using Casky would see findings flagging suspicious executables in parent directory paths of legitimate services, unexpected service restart events with different binary execution sources, and process execution chains showing LocalSystem-level processes spawning from unusual file system locations. Extended reasoning would correlate these individual signals into a coherent attack narrative, helping security teams identify whether an unquoted path vulnerability has been actively exploited before services escalate attacker privileges to system level.