CVE-2019-25310 in ActiveFax Server
Summary
by MITRE • 02/11/2026
ActiveFax Server 6.92 Build 0316 contains an unquoted service path vulnerability in the ActiveFaxServiceNT service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated administrative privileges.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/11/2026
The ActiveFax Server 6.92 Build 0316 contains a critical unquoted service path vulnerability within the ActiveFaxServiceNT service component that presents a significant security risk to systems running this software. This vulnerability falls under the Common Weakness Enumeration category CWE-428 which specifically addresses the improper handling of unquoted service paths in Windows environments. The flaw occurs when the service binary path contains spaces but lacks proper quotation marks around the path, creating an exploitable condition where malicious actors can place executable files in directories leading up to the intended service binary location.
The technical implementation of this vulnerability stems from the Windows service architecture where the system searches for executables in a specific order when resolving service paths. When a service path contains spaces without proper quoting, Windows will first search for an executable matching the first directory component, potentially allowing an attacker to place a malicious binary in a directory that appears earlier in the search path. In the context of ActiveFax Server, this creates a scenario where local attackers can place malicious executables in directories such as Program Files or other common installation paths, which will then be executed with the elevated privileges of the ActiveFaxServiceNT service.
The operational impact of this vulnerability is particularly concerning as it provides local attackers with a pathway to escalate privileges and execute arbitrary code with administrative rights. Since the ActiveFaxServiceNT service typically runs with high privileges, any malicious code injected through this vulnerability will inherit those elevated permissions, potentially allowing attackers to modify system files, install backdoors, or gain complete control over the affected system. This represents a classic privilege escalation vector that aligns with ATT&CK technique T1068 which covers privilege escalation through service misconfiguration.
Mitigation strategies for this vulnerability should focus on immediate remediation through proper path quoting in the service configuration. System administrators must ensure that all service binary paths containing spaces are properly quoted to prevent the Windows service manager from interpreting the path incorrectly. The recommended approach involves modifying the service configuration to wrap the entire binary path in double quotes, preventing the path resolution from traversing unintended directories. Additionally, regular security audits should verify that no other services on the system contain similar unquoted path vulnerabilities, as these represent a common class of misconfigurations that attackers frequently target. Organizations should also implement principle of least privilege practices and regularly update their ActiveFax Server installations to versions that address this specific vulnerability, as the original build 0316 is likely to contain additional security weaknesses beyond this single path issue.