Vulnerable Software

Remote Desktop Commander Suite Agent <= Version 4.8


Unquoted Service Path Vulnerability

Time Line

  • 12.11.2021 Vendor informed
  • 10.12.2021 Vendor confirmed the issue and kindly ask for a release on 9th of February 2022
  • 09.02.2022 Disclosure


IF a customer a.) installed our agent service in the default path of C:\Program Files\RDPSoft\Remote Desktop Reporter Agent and b.) has not weakened the default Windows NTFS permissions in the root of C:\ or under the C:\Program Files folder. By default, standard users do not have permissions to create new files in the root of C: or in the Program Files folder and subfolders. If our agent service was installed to a different folder and/or the default NTFS permissions were weakened, this may make the unquoted service path exploitable.