A high-severity vulnerability exists in SpyHunter security products that could allow a local attacker to take full control of an affected system. The flaw, known as an unquoted service path, can be exploited by a malicious user with standard access to run their own code with the highest system privileges. This would allow an attacker to completely compromise the machine, steal data, and potentially move to other systems on the network.

This vulnerability is an Unquoted Service Path. The SpyHunter service executable's path is registered in Windows without being enclosed in quotation marks. If the path contains spaces (e.g., C:\Program Files\SpyHunter\service.exe), the Windows operating system may misinterpret it and attempt to execute files at each space-separated segment. An attacker with local access and permissions to write to a parent directory (like C:\) can place a malicious executable named Program.exe in that location. When the system attempts to start the SpyHunter service, it will execute the attacker's malicious file with SYSTEM-level privileges instead of the legitimate service.

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation allows for a full privilege escalation, enabling an attacker with basic user access to gain complete administrative (SYSTEM) control over the affected endpoint. The business impact includes the potential for total system compromise, leading to data theft of sensitive corporate or personal information, deployment of ransomware or other persistent malware, and the ability for an attacker to use the compromised machine as a pivot point to attack other resources on the internal network. Since SpyHunter is a security product, its compromise could also be used to disable other security controls and evade detection.

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately. After patching, monitor system logs for any signs of pre-patch exploitation, such as unexpected service failures or unauthorized process execution. Review access logs to identify any accounts that may have been used to exploit this vulnerability.

Proactive Monitoring: Monitor Windows Event Logs (System and Security) for unusual service behavior, particularly Event ID 7000 (Service Start Failed) related to the SpyHunter service. Enable and monitor process creation logging (Event ID 4688) to detect suspicious executables (e.g., Program.exe, Common.exe) launching from root directories like C:\ or C:\Program Files.

Compensating Controls: If patching cannot be performed immediately, implement application control solutions like AppLocker or Windows Defender Application Control to prevent the execution of unauthorized executables from world-writable directories. Additionally, enforce strict file system permissions to prevent non-administrative users from creating files in root-level directories.

Public Exploit Available: true

Given the high severity (CVSS 7.8) and the simplicity of exploitation for an attacker who has already gained local access, we recommend that organizations prioritize patching this vulnerability immediately. Although it is not on the CISA KEV list, the risk of complete system compromise is significant. All endpoints running the affected SpyHunter products should be identified and updated to the latest version to mitigate the risk of privilege escalation and subsequent lateral movement within the network.