CVE-2019-25305 in JumpStart
Summary
by MITRE • 02/06/2026
JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability identified as CVE-2019-25305 resides within JumpStart version 0.6.0.0, specifically targeting the jswpbapi service component. This service operates with LocalSystem privileges, representing the highest level of system access available within windows operating systems. The flaw manifests as an unquoted service path vulnerability, a well-documented weakness that occurs when the service executable path contains spaces but lacks proper quotation marks around the entire path. This particular configuration creates a security exposure that allows attackers to manipulate the service execution flow through carefully crafted file placement.
The technical exploitation of this vulnerability follows a predictable pattern that aligns with common attack methodologies described in the attack technique framework. When a service path contains spaces and is not properly quoted, the windows service manager will traverse the directory structure searching for executables that match the beginning of the path components. For instance, if the service path is configured as "C:\Program Files\JumpStart\jswpbapi.exe", an attacker could place a malicious executable named "Program.exe" in the "C:\Program Files\" directory, and the system would execute this malicious file instead of the legitimate service binary. This behavior directly corresponds to attack technique T1543.003 within the MITRE ATT&CK framework, which covers creation or modification of system level execution mechanisms.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with a persistent foothold within the target system. Since the jswpbapi service runs with LocalSystem privileges, successful exploitation grants full system control to the attacker. This elevated access enables comprehensive system compromise including data exfiltration, lateral movement, and establishment of additional persistence mechanisms. The vulnerability represents a critical weakness in the software's security posture, as it transforms a legitimate service into a potential attack vector that requires minimal effort to exploit.
The root cause of this vulnerability can be classified under CWE-428, which describes the weakness of unquoted service paths in windows environments. This weakness stems from improper configuration practices during software installation, where developers fail to properly quote paths containing spaces. The vulnerability requires no special privileges to exploit and can be leveraged by attackers with minimal technical expertise, making it particularly dangerous in enterprise environments where software deployment automation may not consistently apply proper quoting. Organizations should implement immediate mitigations including proper quoting of service paths during installation, regular vulnerability assessments, and monitoring for unauthorized service modifications. The recommended remediation involves updating to a patched version of JumpStart or manually correcting the service path configuration to ensure all path components are properly quoted, thereby preventing the exploitation vector that enables privilege escalation attacks.