Unquoted Service Path Vulnerability in OSAS Traverse Extension 11
CVE-2021-47864

8.5HIGH

Key Information:

Vendor

Osas

Status
Osas Traverse Extension
Vendor
CVE Published:
21 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2021-47864?

The OSAS Traverse Extension 11 features an unquoted service path vulnerability in the TravExtensionHostSvc service, which operates with LocalSystem privileges. This flaw allows attackers to exploit the unquoted service path, enabling them to inject and execute malicious code by placing malicious executable files in the service's directory. Such an exploitation could lead to elevated system access and potentially compromise sensitive data or the integrity of the system.

Affected Version(s)

OSAS Traverse Extension 11 x86

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-47864 - Proof of Concept

References

https://www.exploit-db.com/exploits/49698
exploit
https://web.archive.org/web/20200817150522/https://www.os...
product
https://www.vulncheck.com/advisories/osas-traverse-extens...
third-party-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tech Johnny
JSON
.