CVE-2021-47803

HIGH

iFunbox 4.2 - Unquoted Search Path Privilege Escalation via Apple Mobile Device Service

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47803. PoCs published by Julio Aviña.

AI-analyzed exploit summary This is a writeup describing an unquoted service path vulnerability in iFunbox 4.2's 'Apple Mobile Device Service'. The vulnerability allows local privilege escalation by inserting an executable into the service path, which runs with elevated privileges upon service restart.

Description

iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts.

Exploits (1)

exploitdb WRITEUP
by Julio Aviña · textlocalwindows
https://www.exploit-db.com/exploits/50040

This is a writeup describing an unquoted service path vulnerability in iFunbox 4.2's 'Apple Mobile Device Service'. The vulnerability allows local privilege escalation by inserting an executable into the service path, which runs with elevated privileges upon service restart.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: iFunbox 4.2 (Apple Mobile Device Service 486.0.2.23)
Auth required
Prerequisites: Local access to the system · Ability to write to the service path directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/50040
Various Sources product
https://www.i-funbox.com/en/index.html

Scores

CVSS v3 7.8
EPSS 0.0015
EPSS Percentile 4.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-428
Status published
Published Jan 16, 2026
Tracked Since Feb 18, 2026