WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path | Advisories

Advisories

WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path

severity: high
date: January 21, 2026
Affecting: WIN-PACK PRO 4.8
CVE: CVE-2021-47866
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49690
Honeywell Product Webpage
Credit: Alan Mondragon
Description: WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup.