CVE-2022-50935

Internet Telcel · Flame II HSPA USB Modem

The Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration, allowing for potential privilege escalation.

Executive summary

An unquoted service path vulnerability in the Flame II HSPA USB Modem Windows service allows an attacker to execute arbitrary code with elevated system privileges.

Vulnerability

The Windows service associated with the modem uses an unquoted path ('C:\Program Files (x86)\Internet Telcel\ApplicationController.exe'). This allows a local attacker to place a malicious executable in the path, which the system will execute with elevated privileges when the service starts.

Business impact

This vulnerability allows for local privilege escalation, a critical risk for any workstation using this hardware. A successful exploit grants the attacker system-level access, which can be used to bypass security controls, install persistent backdoors, or exfiltrate sensitive data.

Remediation

Immediate Action: Update the modem driver and service software to the latest version provided by the vendor.

Proactive Monitoring: Monitor for unexpected executable files appearing in the C:\Program Files (x86)\Internet Telcel\ directory.

Compensating Controls: If a patch is unavailable, manually quote the service path in the Windows Registry (HKLM\SYSTEM\CurrentControlSet\Services) to prevent the service from executing unauthorized binaries.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Unquoted service path vulnerabilities are a well-understood vector for privilege escalation. Administrators should treat this as a high-priority item, ensuring that the service configuration is hardened or the software is updated to the latest version to mitigate the risk of local system compromise.