CVE-2016-20033

| EUVD-2016-10821 HIGH
2026-03-15 VulnCheck
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2016-10821
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.8

Tags

Privilege Escalation Authentication Bypass Wowza Streaming Engine

Description

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.

Analysis

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability where authenticated users can gain SYSTEM-level access by replacing service executables due to overly permissive file permissions that grant the Everyone group full control. A public proof-of-concept exploit is available, making this vulnerability easily exploitable by any authenticated local user to completely compromise the system.

Technical Context

The vulnerability affects Wowza Streaming Engine (CPE: cpe:2.3:a:wowza_media_systems,_llc.:wowza_streaming_engine:*:*:*:*:*:*:*:*), a media server software for streaming video and audio content. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), specifically manifesting as improper file permissions on critical service executables. The nssm_x64.exe binary in both the manager and engine service directories has full access permissions granted to the Everyone group, allowing any authenticated user to replace these executables with malicious code that will execute with LocalSystem privileges when the services restart.

Affected Products

Wowza Streaming Engine version 4.5.0 is confirmed vulnerable according to ENISA EUVD-2016-10821. The CPE string indicates this affects the Wowza Streaming Engine product line from Wowza Media Systems, LLC. Organizations running this specific version on Windows systems where multiple users have local access are at highest risk.

Remediation

Immediate mitigation involves restricting file permissions on the nssm_x64.exe files in both the manager and engine service directories to prevent modification by non-administrative users. Remove write permissions for the Everyone group on these executables. Organizations should upgrade from version 4.5.0 to a patched version - consult the vendor advisory at http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php for specific patch information. As a temporary workaround, monitor for unauthorized modifications to service executables and restrict local access to the server.

Priority Score

59
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: +20

Share

CVE-2016-20033 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy