Description
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService. A local attacker can place a malicious executable in directories such as C:\\ or C:\\Program Files (x86)\\Personify\\, and the service will run that executable with LocalSystem privileges when it starts automatically at boot, giving the attacker full system access. This flaw corresponds to CWE‑428.

Affected Systems

The vulnerability affects Personifyinc's Chromacam product, specifically version 4.0.3.0. No other product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.5 indicates a high impact if exploited. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local; it requires write access to system directories or the ability to place files in C:\\ or the Personify installation folder. Once the service starts at boot, the injected binary runs with LocalSystem privileges, allowing the attacker to execute arbitrary code and potentially compromise the entire system.

Generated by OpenCVE AI on June 19, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chromacam patch or upgrade to a version where the service path is properly quoted.
  • If an upgrade is not available, disable or remove the PsyFrameGrabberService from the system and restrict write permissions on C:\\ and C:\\Program Files (x86)\\Personify\\ to prevent unauthorized executables from being placed there.
  • Review these directories for any unexpected executables and remove them, then run a full system integrity check.

Generated by OpenCVE AI on June 19, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.
Title Chromacam 4.0.3.0 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:54.159Z

Reserved: 2026-01-10T01:51:52.987Z

Link: CVE-2023-54353

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element