CVE-2022-50971: Malwarebytes 4.5 Unquoted Service Path Privilege Escalation
Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root path. Attackers can place executable files in unquoted path directories that execute with LocalSystem privileges during service startup or system reboot.
Security readout for executives and security teams
Plain-English summary
Malwarebytes 4.5.0 may let a local low-privileged user gain SYSTEM-level control because a Windows service path was not safely quoted. This is mainly an endpoint hardening issue: compromise requires local access first, but successful abuse could fully control the affected machine.
Executive priority
Prioritize remediation on shared workstations, developer systems, kiosks, and any endpoint where local compromise is plausible. This does not appear internet-exposed from the supplied evidence, but SYSTEM escalation can turn a small foothold into full endpoint control.
Technical view
CVE-2022-50971 is a CWE-428 unquoted service path issue in Malwarebytes MBAMService. The bundle says executable placement in unquoted path directories can lead to LocalSystem execution during service startup or reboot. CVSS v4.0 is 8.5 high with local attack vector, low complexity, low privileges, and high confidentiality, integrity, and availability impact.
Likely exposure
Exposure appears limited to endpoints running Malwarebytes 4.5.0. Systems where unprivileged local users can write into relevant path directories face higher risk. The supplied sources do not identify additional versions, server products, or cloud services as affected.
Exploitation context
An Exploit-DB reference is listed, so public exploit information exists. The source bundle marks CISA KEV as false and provides no cited evidence of active exploitation. Treat this as locally exploitable post-access privilege escalation, not a remotely reachable initial-entry vulnerability.
Researcher notes
Evidence supports Malwarebytes 4.5.0, CWE-428, local privilege escalation, and public exploit availability. The bundle does not name a fixed version, official advisory, or active exploitation. Avoid broad version claims until Malwarebytes or another cited source confirms scope and remediation.
Mitigation direction
Inventory endpoints for Malwarebytes version 4.5.0.
Check Malwarebytes guidance and downloads for a supported remediated build.
Upgrade affected installations when vendor guidance confirms remediation.
Restrict local user write access to service path directories.
Monitor service restarts and reboots on affected endpoints.
Validation and detection
Confirm whether MBAMService exists on each endpoint.
Verify installed Malwarebytes version against the affected 4.5.0 entry.
Inspect MBAMService configuration for unquoted executable paths.
Check endpoint logs for unexpected local files near service paths.
Review startup and reboot events for suspicious service execution.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-428: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-428 · source CWE mapping
Unquoted Search Path or Element
Unquoted Search Path or Element represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.