📄 Description (English)
Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that would run with LocalSystem permissions during service startup.
🤖 AI Executive Summary
CVE-2022-50902 is a critical privilege escalation vulnerability in Wondershare FamiSafe 1.0 affecting the FSService with an unquoted service path. Local attackers can inject malicious executables into the service path to achieve code execution with LocalSystem privileges. While no public exploit is available, the vulnerability is trivial to exploit and poses significant risk to organizations using this parental control software across their endpoints.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 16:03
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using Wondershare FamiSafe for employee or student monitoring, particularly in: Government agencies (NCA, Ministry of Education) implementing endpoint monitoring; Educational institutions (universities, schools) using parental control software; Corporate environments (banking, telecom, energy sectors) deploying device management solutions; Healthcare facilities monitoring staff devices. The LocalSystem privilege escalation enables attackers to bypass security controls, install persistent malware, and compromise sensitive data across these critical sectors.
🏢 Affected Saudi Sectors
Government
Education
Banking
Telecommunications
Energy
Healthcare
Corporate/Enterprise
🎯 MITRE ATT&CK Techniques
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1036.003 - Masquerading: Rename System Utilities
T1574.008 - Hijacking Execution Flow: DLL Search Order Hijacking
T1574.012 - Hijacking Execution Flow: COR_PROFILER Environment Variable
T1112 - Modify Registry
T1562.008 - Impair Defenses: Disable or Modify Tools
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Wondershare FamiSafe 1.0 using endpoint discovery tools
2. Restrict local administrative access to affected systems
3. Implement application whitelisting to prevent unauthorized executable execution in Program Files directories
4. Monitor FSService startup and execution logs for anomalies
PATCHING:
1. Upgrade Wondershare FamiSafe to version 2.0 or later immediately
2. Verify patch installation by checking service path configuration: sc qc FSService
3. Restart affected systems after patching
COMPENSATING CONTROLS (if upgrade delayed):
1. Apply NTFS permissions restricting write access to C:\Program Files (x86)\Wondershare\FamiSafe\ to Administrators only
2. Disable FSService if not actively required
3. Implement file integrity monitoring on the FamiSafe installation directory
4. Deploy behavioral detection for suspicious service modifications
DETECTION:
1. Monitor Windows Event Viewer for Service Control Manager events (Event ID 7045) related to FSService
2. Alert on file creation/modification in C:\Program Files (x86)\Wondershare\FamiSafe\ outside of patch windows
3. Track process execution with parent process FSService.exe
4. Monitor registry changes to HKLM\SYSTEM\CurrentControlSet\Services\FSService
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل Wondershare FamiSafe 1.0 باستخدام أدوات اكتشاف نقاط النهاية
2. تقييد الوصول الإداري المحلي للأنظمة المتأثرة
3. تطبيق قائمة بيضاء للتطبيقات لمنع تنفيذ الملفات التنفيذية غير المصرح بها في أدلة Program Files
4. مراقبة بدء تشغيل FSService وسجلات التنفيذ للكشف عن الشذوذ
التصحيح:
1. ترقية Wondershare FamiSafe إلى الإصدار 2.0 أو أحدث فوراً
2. التحقق من تثبيت التصحيح بفحص تكوين مسار الخدمة: sc qc FSService
3. إعادة تشغيل الأنظمة المتأثرة بعد التصحيح
الضوابط البديلة (إذا تأخر الترقية):
1. تطبيق أذونات NTFS تقيد الوصول للكتابة إلى C:\Program Files (x86)\Wondershare\FamiSafe\ للمسؤولين فقط
2. تعطيل FSService إذا لم تكن مطلوبة بنشاط
3. تطبيق مراقبة سلامة الملفات على دليل تثبيت FamiSafe
4. نشر الكشف السلوكي لتعديلات الخدمة المريبة
الكشف:
1. مراقبة Windows Event Viewer لأحداث Service Control Manager (معرف الحدث 7045) المتعلقة بـ FSService
2. التنبيه عند إنشاء/تعديل الملفات في C:\Program Files (x86)\Wondershare\FamiSafe\ خارج نوافذ التصحيح
3. تتبع تنفيذ العملية مع عملية الوالد FSService.exe
4. مراقبة تغييرات السجل إلى HKLM\SYSTEM\CurrentControlSet\Services\FSService
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.5.2.1 - User access management
A.5.2.2 - Privileged access rights
A.5.2.3 - User access review
A.8.1.1 - Asset inventory and ownership
A.8.2.1 - Classification of information
A.8.3.1 - Media handling
A.12.2.1 - Restrictions on software installation
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
🔵 SAMA CSF
Governance - Policy and Risk Management
Governance - Organizational Structure
Asset Management - Hardware and Software Asset Management
Access Control - User Access Management
Access Control - Privileged Access Management
Cryptography - Cryptographic Controls
Physical and Environmental Security - Physical Security
Operations - Change Management
Operations - Incident Management
Operations - Monitoring and Logging
🟡 ISO 27001:2022
5.1 - Policies for information security
5.2 - Information security roles and responsibilities
5.3 - Segregation of duties
6.1 - Screening
6.2 - Terms and conditions of employment
6.5 - Access rights review
8.1 - User endpoint devices
8.2 - Privileged access rights
8.3 - Information access restriction
8.6 - Access control for change of information
8.32 - Change of ownership or responsibility
12.4 - Logging
12.6 - Management of technical vulnerabilities