Skip to main content

Small HTTP Server CVE-2025-41359

| EUVD-2025-209051 HIGH
Unquoted Search Path or Element (CWE-428)
2026-03-26 INCIBE GHSA-p44p-8r2h-6r26
Authentication Bypass RCE
8.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 26, 2026 - 12:45 euvd
EUVD-2025-209051
Analysis Generated
Mar 26, 2026 - 12:45 vuln.today
Patch released
Mar 26, 2026 - 12:45 nvd
Patch available
CVE Published
Mar 26, 2026 - 12:20 nvd
HIGH 8.5

DescriptionNVD

Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.

AnalysisAI

Small HTTP Server 3.06.36 allows local attackers with low privileges to execute arbitrary code through an unquoted service path vulnerability in the http.exe service executable. By placing a malicious executable in a higher-priority directory along the unquoted path 'C:\Program Files (x86)\shttps_mg\http.exe service', attackers can achieve full system compromise with high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and CISA SSVC framework indicates no current exploitation, though technical impact is rated as total.

Technical ContextAI

This vulnerability exploits CWE-428 (Unquoted Search Path or Element), a Windows-specific flaw where service paths containing spaces are not enclosed in quotes. When the Windows Service Control Manager attempts to start the service at 'C:\Program Files (x86)\shttps_mg\http.exe service', it interprets the path ambiguously due to embedded spaces, potentially executing 'C:\Program Files (x86)\shttps_mg\http.exe' or 'C:\Program.exe' before the intended executable. The affected product is identified via CPE cpe:2.3:a:smallsrv:small_http:*:*:*:*:*:*:*:*, specifically version 3.06.36 of Small HTTP Server from smallsrv. This misconfiguration is a common Windows service installation error that allows privilege escalation when attackers have write access to intermediate directories in the path hierarchy.

RemediationAI

Patch available per vendor advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv. Organizations should immediately apply the vendor-released security update and verify the service path is properly quoted in the Windows registry (HKLM\SYSTEM\CurrentControlSet\Services). As an immediate workaround before patching, administrators can manually modify the service registry entry to enclose the executable path in double quotes: '"C:\Program Files (x86)\shttps_mg\http.exe" service'. Additionally, implement access controls to restrict write permissions to the Program Files directories to prevent malicious executable placement, enforce least privilege principles for local user accounts, and audit existing service configurations for similar unquoted path vulnerabilities using tools like Windows Sysinternals AccessChk or PowerShell service enumeration scripts.

Share

CVE-2025-41359 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy