Critical Vulnerability Information Vulnerability Name: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path E DB-ID: 51206 CVE: N/A Author: Wim Jaap van Vliet Type: LOCAL Platform: WINDOWS Release Date: 2023-04-03 Affected Application: HotKey Clipboard Service 'HKClipSvc' Vulnerability Details: - The HotKey Clipboard service 'HKClipSvc' is installed as part of Control Center3.0 v3.97 (and earlier versions) provided by Clevo. - This service package is typically installed on Clevo laptops (or other brands using Clevo barebones) as a driver. - Due to the unquoted service path, this may allow an authorized but low-privileged local user to execute arbitrary code with system privileges. Exploit Information Test Environment: Windows 11 Pro 10.0.22000 Issue Description: - The installation of the HotKey Clipboard service 'HKClipSvc' contains an unquoted service path, which is a common issue in Windows services. - When a service path is unquoted, it can be exploited maliciously, especially if the path contains spaces, allowing attackers to execute arbitrary code. Related Links Vendor Homepage: www.clevo.com.tw Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip