CVE-2024-47856

Critical

Published: 24 November 2025

Published

24 November 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a…

higher-level directory of the path, and Windows will resolve that executable instead of the intended executable.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching of the RSA Authentication Agent to version 7.4.7, eliminating the unquoted path vulnerability.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings, such as properly quoting service and shortcut paths containing spaces to block path interception.

CM-10 Software Usage Restrictions partial match

prevent

Restricts execution to authorized software only via whitelisting, preventing malicious executables in higher-level directories from running even if path resolution fails.

Security SummaryAI

CVE-2024-47856 is a path interception vulnerability (CWE-23) in RSA Authentication Agent for Microsoft Windows versions before 7.4.7. It arises when service paths and shortcut paths contain one or more spaces without surrounding quotation marks, allowing Windows to resolve an executable from a higher-level directory instead of the intended one. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation without privileges or user interaction.

An unauthenticated attacker with network access can exploit this vulnerability by placing a malicious executable in a higher-level directory along the unquoted path used by the affected service or shortcut. Upon execution of the service or shortcut, Windows prioritizes the attacker's executable, enabling arbitrary code execution with the privileges of the RSA Authentication Agent process, which could result in high-impact confidentiality, integrity, and availability violations, such as full system compromise.

RSA advisories, including RSA-2024-13, detail the security update and recommend upgrading to version 7.4.7, available for download from the RSA community site. Practitioners should apply this patch promptly to affected systems to prevent exploitation.

Details

CWE(s): CWE-23

Affected Products

rsa

authentication agent for windows

≤ 7.4.7

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.

attack.mitre.org →

Why these techniques?

The vulnerability is explicitly a path interception issue due to unquoted paths with spaces in service and shortcut paths, directly matching T1574.009: Path Interception by Unquoted Path, enabling arbitrary code execution by placing a malicious executable in a higher-level directory.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update
Vendor Advisory · cve@mitre.org
https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows
Permissions Required · cve@mitre.org