Skip to content
Chimera readability score 86 out of 100, Specialist reading level.

Exploit Title: ProtonVPN v4.4.1 - Unquoted Service Path

Date: 2026-06-22

Exploit Author: Milad Karimi

Contact: karimimilad1337@gmail.com

Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL

Vendor Homepage: https://protonvpn.com/

Software Link: https://protonvpn.com/

Version: 4.4.1

Tested on: Windows 10 Pro x64

Description:

A successful attempt would require the local user to be able to insert

their code in the system root path undetected by the OS or other security

applications where it could potentially be executed during application

startup or reboot. If successful, the local user's code would execute with

the elevated privileges of the application.

Proof Of Concept:

PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard"

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ProtonVPN Wireguard

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Program Files (x86)\Proton

Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe

C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : ProtonVPN WireGuard

DEPENDENCIES : Nsi

: TcpIp

SERVICE_START_NAME : LocalSystem

Sentinel — Human

Confidence

The text reads like a direct report or proof-of-concept log from a technical exercise rather than synthesized prose, exhibiting high fidelity to specific operational details.

Signals Detected
low severity: Sentence length variance shows typical technical reporting structure; not overly uniform.
low severity: The text is purely descriptive and transactional, lacking the 'passionate' or argumentative tone associated with AI synthesis.
low severity: Structure follows a clear technical proof-of-concept format, which is typical for exploit descriptions but doesn't strongly suggest LLM templating.
low severity: The content is highly specific technical data (paths, service names) which suggests direct operational knowledge rather than fabricated narrative.
Human Indicators
Presence of very specific, context-dependent command-line output and file paths implies direct engagement with a system for the purpose of demonstration, typical of human technical work.