PatchSiren cyber security CVE debrief
CVE-2021-47974 Exploit Db CVE debrief
CVE-2021-47974 describes an unquoted service path weakness in VX Search 13.5.28 affecting both VX Search Server and VX Search Enterprise services. A local attacker with sufficient access can place a malicious executable in a path component that Windows may search first when the service starts or restarts, leading to code execution with LocalSystem privileges. The NVD record maps the issue to CWE-428 and rates it High at CVSS 8.5.
- Vendor
- Exploit Db
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
Windows administrators, endpoint and server security teams, and anyone operating VX Search Server or VX Search Enterprise on systems where local users or untrusted code can run should treat this as a privilege-escalation risk.
Technical summary
The issue is an unquoted Windows service path. When a service binary path contains spaces but is not properly quoted, Windows may resolve executable names from earlier path segments. In this case, the affected VX Search Server and VX Search Enterprise services can be abused by a local attacker who can place a crafted executable in an unquoted path directory such as C:\Program Files\VX Search. If the service is restarted, the attacker-controlled binary may run in the service context, which the supplied description identifies as LocalSystem.
Defensive priority
High. This is a local privilege escalation to LocalSystem, so it is especially important on multi-user systems, remote-access hosts, and servers where local code execution by lower-privileged users is possible.
Recommended defensive actions
- Inventory hosts running VX Search Server or VX Search Enterprise and confirm whether they are on an affected version.
- Verify the service ImagePath entries are properly quoted and do not rely on ambiguous unquoted paths.
- Apply the vendor's remediation or upgrade guidance from the VX Search advisory and official product site.
- Restrict local logon, shell access, and arbitrary write locations on systems running the affected services.
- Review service startup behavior and planned restarts, since the attack condition is tied to service start or restart.
- Monitor for unexpected executables in directories that are part of service path resolution, especially under Program Files.
Evidence notes
This debrief is based only on the supplied corpus: the NVD record for CVE-2021-47974, the referenced VulnCheck advisory, the referenced Exploit-DB entry, and the VX Search official site link. The supplied NVD metadata identifies CWE-428 and provides the CVSS vector and vulnerability status. The public record dates in the supplied timeline were used as provided and should not be interpreted as the original discovery date.
Official resources
Public references in the supplied corpus include the NVD record, a VulnCheck advisory, and an Exploit-DB entry. The issue is described as a local privilege-escalation weakness in VX Search services.