Genexus Protection Server 9.7.2.10 Unquoted Service Path Privilege Escalation

Advisories

severity: high
date: December 11, 2025
Affecting: Genexus Protection Server 9.7.2.10
CVE: CVE-2024-58288
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-52065
Official Genexus Homepage
Genexus Software Download Center
Credit: SamAlucard, Sam Alucard
Description: Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.