CWE-428: Unquoted Search Path or Element

CWE-428 describes a vulnerability where an application uses a search path containing spaces without properly escaping or enclosing it in quotation marks. If an attacker can place a malicious executable in one of the intermediate paths evaluated by the operating system, they can execute arbitrary code, commonly leading to privilege escalation.

How CWE-428 Occurs

This vulnerability is most commonly seen in Windows Service Control Manager (SCM) or automated task schedulers. When a service binary runs from a path with spaces (such as C:\Program Files\App\service.exe) without quotes, the Windows execution engine resolves the path segment by segment.

It will attempt to run:

1. C:\Program.exe
2. C:\Program Files\App\service.exe

If an attacker has write permissions to the root C:\ drive, and drops Program.exe, the elevated service will blindly execute that payload instead of the legitimate application.

Impact

The consequences of this vulnerability are severe because it typically affects enterprise software or system agents running as NT AUTHORITY\SYSTEM or local Administrator.

• Privilege Escalation: Standard users can gain full system-level access.
• Persistence: Attackers can establish persistent access to the host.
• Evasion: The malicious payload effectively masquerades as a legitimate system service.

Remediation

// Before (Insecure Registry Value for ImagePath):
C:\Program Files\My Application\service.exe -k run

// After (Secure Registry Value, fully quoted):
"C:\Program Files\My Application\service.exe" -k run

Precogs AI Detection Strategy

Precogs AI's static analysis engine natively detects CWE-428 misconfigurations in CI/CD environments. By analyzing IaC pipelines, MSI installer scripts (like WiX), and Windows registry modification scripts, Precogs automatically identifies unquoted strings that map to execution directories and generates an AutoFix PR embedding the safe quotation strategy.