Vulnerabilities ›

CVE-2021-47974

High

CWE-428 — Weakness Type

                    Published: May 16, 2026                      ·  Modified: May 23, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

VX Search 13.5.28 contains an unquoted service path vulnerability in both VX Search Server and VX Search Enterprise services that allows local attackers to escalate privileges. Attackers can place malicious executables in unquoted path directories like C:\Program Files\VX Search to execute arbitrary code with LocalSystem privileges when services restart.

🤖 AI Executive Summary

CVE-2021-47974 is a local privilege escalation vulnerability in VX Search 13.5.28 affecting both Server and Enterprise services through unquoted service paths. Attackers with local access can place malicious executables in C:\Program Files\VX Search to achieve LocalSystem privileges upon service restart. With a CVSS score of 7.8 and no available patch, this poses a significant risk to organizations using this search indexing software.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 21, 2026 01:01

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using VX Search for document indexing and search operations. Banking sector organizations (SAMA-regulated) face elevated risk if VX Search is deployed on critical systems. Government entities under NCA oversight and healthcare organizations managing sensitive patient records are at particular risk. Energy sector organizations and telecommunications companies using this software for internal search infrastructure could experience system compromise leading to data exfiltration or operational disruption.

🏢 Affected Saudi Sectors

Government & Public Administration Banking & Financial Services Healthcare Energy & Utilities Telecommunications Large Enterprises with Document Management Systems

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.011 - Boot or Logon Autostart Execution: Services T1134.003 - Access Token Manipulation: Make and Impersonate Token T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1036.003 - Masquerading: Rename System Utilities T1611 - Escape to Host

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running VX Search 13.5.28 Server and Enterprise services across your infrastructure

2. Restrict local access to affected systems through access control lists and physical security measures

3. Monitor service restart logs and process execution from C:\Program Files\VX Search directory

4. Implement application whitelisting to prevent unauthorized executable execution



Compensating Controls (until patch available):

5. Apply NTFS permissions to C:\Program Files\VX Search restricting write access to Administrators only

6. Disable unnecessary local user accounts and enforce strong password policies

7. Implement privileged access management (PAM) solutions to monitor LocalSystem privilege usage

8. Use Windows AppLocker or similar tools to prevent execution from Program Files subdirectories by non-system processes



Detection Rules:

9. Monitor for file creation events in C:\Program Files\VX Search with suspicious extensions (.exe, .dll, .scr)

10. Alert on VX Search service restart events followed by unexpected process execution

11. Track registry modifications related to VX Search service configuration

12. Contact VX Search vendor for patch availability and upgrade timeline

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل خدمات VX Search 13.5.28 Server و Enterprise عبر البنية التحتية الخاصة بك

2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال قوائم التحكم في الوصول والتدابير الأمنية المادية

3. مراقبة سجلات إعادة تشغيل الخدمة وتنفيذ العمليات من دليل C:\Program Files\VX Search

4. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ الملفات التنفيذية غير المصرح بها

الضوابط البديلة (حتى توفر التصحيح):

5. تطبيق أذونات NTFS على C:\Program Files\VX Search مع تقييد الوصول للكتابة للمسؤولين فقط

6. تعطيل حسابات المستخدمين المحلية غير الضرورية وفرض سياسات كلمات مرور قوية

7. تنفيذ حلول إدارة الوصول المميز (PAM) لمراقبة استخدام امتيازات LocalSystem

8. استخدام Windows AppLocker أو أدوات مماثلة لمنع التنفيذ من أدلة Program Files من قبل العمليات غير النظامية

قواعد الكشف:

9. مراقبة أحداث إنشاء الملفات في C:\Program Files\VX Search بامتدادات مريبة (.exe, .dll, .scr)

10. تنبيهات عند إعادة تشغيل خدمة VX Search متبوعة بتنفيذ عملية غير متوقعة

11. تتبع تعديلات السجل المتعلقة بتكوين خدمة VX Search

12. الاتصال بمورد VX Search للحصول على توفر التصحيح والجدول الزمني للترقية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - Access control policy A.6.2.1 - User registration and access rights management A.8.2.1 - Classification of information A.9.1.1 - Physical security perimeter A.9.2.1 - Physical entry controls

🔵 SAMA CSF

Governance & Risk Management - Risk Assessment Information & Cybersecurity - Access Control Information & Cybersecurity - System Hardening Incident Management - Detection & Response

🟡 ISO 27001:2022

5.3 - Segregation of duties 6.1.2 - Segregation of information security responsibilities 8.1.1 - User endpoint devices 8.2.1 - User registration and access rights 8.2.2 - Privileged access rights 8.3.1 - Password management 8.3.2 - Privileged access management

🔗 References & Sources 3

🔗

https://www.exploit-db.com/exploits/50026

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/vx-search-unquoted-service-path-privilege-escalation

disclosure@vulncheck.com

🔗

https://www.vxsearch.com

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-05-16

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-47974

Introduce Yourself

Sign In Required