CVE-2024-47856 identifies a path interception vulnerability in RSA Authentication Agent versions before 7.4.7. The root cause is improper handling of service and shortcut paths that include spaces but lack surrounding quotation marks. On Windows systems, when such paths are processed, the operating system may resolve the executable path incorrectly by searching parent directories for executables matching the intended name. An adversary who can write to a higher-level directory in the path can place a malicious executable that Windows will execute instead of the legitimate RSA Authentication Agent executable. This can lead to unauthorized code execution, potentially with elevated privileges if the service runs with high-level permissions. The vulnerability does not require user interaction but does require the attacker to have write access to directories in the path hierarchy, which might be achievable through other means such as compromised accounts or lateral movement. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability highlights the importance of correctly quoting paths in Windows service configurations to prevent path hijacking attacks. Mitigation involves patching to version 7.4.7 or later, auditing service and shortcut paths for unquoted spaces, and restricting write permissions on directories in the executable path to prevent unauthorized file placement.

For European organizations, this vulnerability poses a significant risk especially in sectors relying on RSA Authentication Agent for secure authentication, such as financial institutions, government agencies, and critical infrastructure providers. Exploitation could allow attackers to execute arbitrary code with the privileges of the RSA Authentication Agent service, potentially leading to privilege escalation, unauthorized access to sensitive systems, and compromise of authentication mechanisms. This could undermine multi-factor authentication controls, leading to broader network compromise. The impact on confidentiality, integrity, and availability is high given the potential for attackers to bypass security controls and execute persistent malicious payloads. Organizations with complex Windows environments and shared directory structures are particularly vulnerable if directory permissions are not tightly controlled. The absence of known exploits provides a window for proactive mitigation, but the risk remains elevated due to the ease of exploitation once write access is obtained.

1. Immediately upgrade RSA Authentication Agent to version 7.4.7 or later once patches are available. 2. Audit all service and shortcut paths used by RSA Authentication Agent and other critical services to ensure paths with spaces are properly enclosed in quotation marks. 3. Restrict write permissions on all directories in the executable path hierarchy to trusted administrators only, preventing attackers from placing malicious executables. 4. Implement file integrity monitoring on directories containing service executables to detect unauthorized changes. 5. Use application whitelisting to prevent execution of unauthorized binaries from unexpected locations. 6. Conduct regular privilege audits to minimize the number of users with write access to critical directories. 7. Monitor logs for unusual process creation events related to RSA Authentication Agent or its service paths. 8. Educate system administrators about the risks of unquoted service paths and path interception attacks. 9. Consider deploying endpoint detection and response (EDR) solutions capable of detecting suspicious execution behaviors related to path hijacking.