CVE-2019-25302 in Launch Manager
Summary
by MITRE • 02/06/2026
Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Launch Manager\dsiwmis.exe to insert malicious code that would execute with system-level permissions during service startup.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/07/2026
The vulnerability identified as CVE-2019-25302 represents a critical security flaw in Acer Launch Manager version 6.1.7600.16385 that stems from an improperly configured service path. This issue resides within the DsiWMIService component which operates with elevated privileges during system startup. The vulnerability manifests when the service path for dsiwmis.exe lacks proper quotation marks around the executable path, creating an exploitable condition that allows local attackers to inject malicious code. This unquoted service path vulnerability falls under the CWE-16 category of Improper Neutralization of Special Elements used in an OS Command, specifically manifesting as CWE-428 which addresses Unquoted Service Path. The flaw is particularly concerning because it enables privilege escalation attacks where local users can potentially execute code with system-level permissions, bypassing standard user restrictions.
The technical exploitation of this vulnerability occurs through a carefully crafted attack vector that takes advantage of Windows service path parsing behavior. When Windows attempts to start the DsiWMIService, it searches for the executable in the specified path and continues searching through each directory component until it finds an executable file. Since the path C:\Program Files (x86)\Launch Manager\dsiwmis.exe is not properly quoted, an attacker can place a malicious executable named dsiwmis.exe in a parent directory such as C:\Program Files (x86)\Launch Manager\ and when the service attempts to execute the legitimate dsiwmis.exe, it will instead execute the attacker's malicious version. This behavior aligns with the ATT&CK technique T1035 for "Service Execution" and demonstrates the principle of privilege escalation through service manipulation. The vulnerability is particularly dangerous because the service runs with SYSTEM privileges, meaning any code executed through this vector will operate at the highest privilege level available on the system.
The operational impact of CVE-2019-25302 extends beyond simple local privilege escalation to potentially enable complete system compromise. Attackers who successfully exploit this vulnerability can establish persistent backdoors, install rootkits, or deploy additional malicious software with unrestricted system access. The attack surface is particularly broad since many organizations have multiple Acer devices running this vulnerable software, and the exploit requires minimal privileges to execute. This vulnerability can be leveraged in conjunction with other attack vectors to create more sophisticated compromise scenarios, potentially enabling lateral movement within networks or data exfiltration operations. The persistence mechanism provided by this vulnerability makes it particularly attractive to threat actors seeking long-term access to compromised systems.
Mitigation strategies for CVE-2019-25302 should focus on immediate remediation through patching the vulnerable Acer Launch Manager software to version 6.1.7600.16386 or later. Organizations should also implement service path hardening measures by ensuring all service paths are properly quoted to prevent the exploitation of similar vulnerabilities. System administrators should conduct comprehensive vulnerability assessments to identify other unquoted service paths within their environments and remediate them accordingly. The implementation of application whitelisting policies can provide additional defense-in-depth by restricting execution of unauthorized binaries. Regular security monitoring should be implemented to detect suspicious service execution patterns or unauthorized modifications to service configurations. Network segmentation and privilege separation practices can help limit the potential impact of successful exploitation, while endpoint detection and response solutions can provide visibility into malicious activities attempting to leverage this vulnerability. These measures align with the defensive strategies outlined in the MITRE ATT&CK framework for preventing service execution attacks and maintaining system integrity.