Active Webcam 115 Unquoted Service Path Patched [better]
If a service executable is located at C:\Program Files\Active WebCam\WebCamService.exe , and the path is unquoted, Windows interprets the spaces as delimiters. When trying to launch the service, the operating system sequentially searches for and attempts to execute files in the following order:
If the output displays a BINARY_PATH_NAME like C:\Program Files (x86)\Active Webcam\WebcamService.exe without outer quotes ( " ), the service is vulnerable. 2. Automated Detection via PowerUp
Because there are spaces and no quotes, Windows attempts to execute files in the following order, appending .exe to the first string before the space: active webcam 115 unquoted service path patched
wmic service get name,displayname,pathname,startmode | findstr /i "Active Webcam" Use code with caution. The output revealed a path structurally similar to: C:\Program Files\Active Webcam\WebcamService.exe Use code with caution.
Use built‑in tools like sc or PowerShell to enumerate all services and check for unquoted paths. For example: If a service executable is located at C:\Program
Active Webcam 11.5 (developed by PY Software) contains a high-risk security vulnerability known as an Unquoted Service Path This flaw is officially tracked as CVE-2021-47790 and was first publicly documented in September 2021 Exploit-DB Vulnerability Overview: CVE-2021-47790
, allowing them to execute arbitrary code and gain full control over the affected machine. National Institute of Standards and Technology (.gov) Status: "Patched" vs. Manual Fix Automated Detection via PowerUp Because there are spaces
Run the wmic enumeration command again. The Active Webcam service should no longer appear in the filtered results.
Active Webcam is a popular software solution by Pysoft used for video surveillance and security camera management. In version 11.5 (and potentially earlier iterations), the software was discovered to contain a classic Windows configuration vulnerability known as an Unquoted Service Path .
The service can be used to launch ransomware or trojans.