CVE-2021-47887 in Print Job Accounting
Summary
by MITRE • 01/21/2026
OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability identified as CVE-2021-47887 represents a critical security flaw in OKI Print Job Accounting version 4.4.10 that stems from improper service path configuration. This issue manifests as an unquoted service path vulnerability within the OkiJaSvc service component, creating a significant attack vector for local adversaries seeking to compromise system integrity. The vulnerability specifically resides in the service executable path located at C:\Program Files\Okidata\Print Job Accounting\, where the service fails to properly quote the path string during installation or configuration. This misconfiguration allows attackers to place malicious executables in directories that are searched before the intended service binary, effectively enabling privilege escalation and arbitrary code execution.
The technical exploitation of this vulnerability leverages fundamental Windows service behavior where the operating system searches for executables in the PATH environment variable in a sequential order. When a service path is not properly quoted, Windows interprets the path as multiple separate components, allowing an attacker to place a malicious executable in a directory that appears earlier in the search sequence. In this case, the service path lacks proper quotation, making it susceptible to manipulation where an attacker can create a malicious binary in the parent directory and have it executed with elevated privileges when the service starts. This flaw directly maps to CWE-428, which describes the weakness of unquoted service paths, and represents a classic privilege escalation vector that can be exploited by local users with minimal privileges.
The operational impact of CVE-2021-47887 extends beyond simple code execution as it provides attackers with a persistent foothold within the compromised system. Once successfully exploited, the malicious code can operate with the privileges of the service account, typically SYSTEM level access, enabling attackers to establish backdoors, exfiltrate sensitive data, or deploy additional malware. This vulnerability is particularly concerning in enterprise environments where print servers and accounting systems often run with elevated privileges, as it can facilitate lateral movement and broader network compromise. The attack surface is further expanded when considering that print job accounting systems frequently handle sensitive information related to document processing, user authentication, and resource utilization data, making this vulnerability attractive to adversaries seeking both system control and data access.
Security mitigations for CVE-2021-47887 should focus on immediate remediation through proper service path quoting and privilege reduction. Organizations must ensure that all service paths are properly quoted during installation and configuration processes to prevent the exploitation vector. The recommended approach involves updating the OkiJaSvc service configuration to include proper path quotation around the executable location, effectively preventing the search sequence manipulation that enables code injection. Additionally, implementing principle of least privilege controls for the service account, conducting regular security audits of installed services, and employing application whitelisting solutions can significantly reduce the risk of exploitation. The vulnerability also highlights the importance of following security best practices outlined in the MITRE ATT&CK framework, particularly in the privilege escalation and persistence tactics, where unquoted service paths represent a common technique used by adversaries to maintain long-term access to compromised systems. Regular vulnerability assessments and patch management processes should prioritize this class of vulnerabilities to prevent exploitation attempts that could lead to more severe security incidents.