📄 Description (English)
CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot.
🤖 AI Executive Summary
CVE-2022-50808 is a critical privilege escalation vulnerability in CoolerMaster MasterPlus 1.8.5 that exploits an unquoted service path in the MPService component. Local attackers can achieve system-level code execution by placing malicious executables in predictable service paths, particularly dangerous during system startup or reboot cycles. This vulnerability requires local access but provides complete system compromise capability.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 16:02
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations with IT infrastructure using CoolerMaster cooling solutions and system management tools. Most at-risk sectors include: Government agencies and NCA infrastructure (workstations and servers), Banking sector (SAMA-regulated institutions with legacy hardware), Energy sector (ARAMCO and related entities with data center operations), Telecommunications (STC, Mobily infrastructure), and Healthcare institutions. The vulnerability is particularly dangerous in enterprise environments where multiple workstations may be compromised simultaneously, enabling lateral movement and privilege escalation across networks.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecommunications
Healthcare
IT Infrastructure
Data Centers
🎯 MITRE ATT&CK Techniques
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1036.003 - Masquerading: Rename System Utilities
T1053.005 - Scheduled Task/Job: Scheduled Task
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running CoolerMaster MasterPlus 1.8.5 across your organization
2. Restrict local access to affected systems and implement physical security controls
3. Monitor service startup logs for suspicious executable creation in service paths
PATCHING GUIDANCE:
1. Upgrade CoolerMaster MasterPlus to version 1.8.6 or later immediately
2. Verify patch installation by checking service path configuration in Registry (HKLM\SYSTEM\CurrentControlSet\Services\MPService)
3. Ensure service path is properly quoted and points to legitimate CoolerMaster installation directory
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable MPService if not actively required for operations
2. Implement strict file system permissions on service installation directories
3. Enable Windows Defender Application Guard or AppLocker to prevent unauthorized executable execution
4. Implement privileged access management (PAM) solutions to monitor service execution
DETECTION RULES:
1. Monitor Registry for unquoted service paths: reg query HKLM\SYSTEM\CurrentControlSet\Services\MPService /v ImagePath
2. Alert on executable creation in C:\Program Files, C:\Program Files (x86), and Windows temp directories
3. Monitor MPService startup events (Event ID 7045) for suspicious service modifications
4. Implement file integrity monitoring on CoolerMaster installation directories
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل CoolerMaster MasterPlus 1.8.5 في المؤسسة
2. تقييد الوصول المحلي للأنظمة المتأثرة وتنفيذ ضوابط الأمان المادي
3. مراقبة سجلات بدء الخدمة للكشف عن إنشاء ملفات تنفيذية مريبة في مسارات الخدمة
إرشادات التصحيح:
1. ترقية CoolerMaster MasterPlus إلى الإصدار 1.8.6 أو أحدث فوراً
2. التحقق من تثبيت التصحيح بفحص تكوين مسار الخدمة في السجل
3. التأكد من أن مسار الخدمة محاط بعلامات اقتباس بشكل صحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل خدمة MPService إذا لم تكن مطلوبة بنشاط
2. تنفيذ أذونات نظام الملفات الصارمة على مجلدات تثبيت الخدمة
3. تفعيل Windows Defender Application Guard أو AppLocker
4. تنفيذ حلول إدارة الوصول المميز لمراقبة تنفيذ الخدمة
قواعد الكشف:
1. مراقبة السجل للخدمات ذات المسارات غير المحاطة بعلامات اقتباس
2. تنبيهات عند إنشاء ملفات تنفيذية في مجلدات البرنامج
3. مراقبة أحداث بدء خدمة MPService
4. تنفيذ مراقبة سلامة الملفات على مجلدات التثبيت
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.5.3.1 - Privileged Access Rights
ECC 2024 A.8.1.1 - Information Security Awareness
ECC 2024 A.12.2.1 - Change Management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Hardware and Software Inventory
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - System Monitoring
SAMA CSF RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.12.2 - Change Management
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0
PCI DSS 2.2 - Configuration Standards
PCI DSS 6.2 - Security Patches
PCI DSS 10.2 - User Access Logging