EUVD-2025-209051
GHSA-p44p-8r2h-6r26
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Analysis
Small HTTP Server 3.06.36 allows local attackers with low privileges to execute arbitrary code through an unquoted service path vulnerability in the http.exe service executable. By placing a malicious executable in a higher-priority directory along the unquoted path 'C:\Program Files (x86)\shttps_mg\http.exe service', attackers can achieve full system compromise with high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and CISA SSVC framework indicates no current exploitation, though technical impact is rated as total.
Technical Context
This vulnerability exploits CWE-428 (Unquoted Search Path or Element), a Windows-specific flaw where service paths containing spaces are not enclosed in quotes. When the Windows Service Control Manager attempts to start the service at 'C:\Program Files (x86)\shttps_mg\http.exe service', it interprets the path ambiguously due to embedded spaces, potentially executing 'C:\Program Files (x86)\shttps_mg\http.exe' or 'C:\Program.exe' before the intended executable. The affected product is identified via CPE cpe:2.3:a:smallsrv:small_http:*:*:*:*:*:*:*:*, specifically version 3.06.36 of Small HTTP Server from smallsrv. This misconfiguration is a common Windows service installation error that allows privilege escalation when attackers have write access to intermediate directories in the path hierarchy.
Affected Products
Small HTTP Server version 3.06.36 from smallsrv is confirmed affected, as identified by CPE cpe:2.3:a:smallsrv:small_http:*:*:*:*:*:*:*:*. The vulnerability was reported by INCIBE (Spanish National Cybersecurity Institute) and catalogued in the European Union Vulnerability Database as EUVD-2025-209051. According to INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv, this affects the specific installation path C:\Program Files (x86)\shttps_mg\http.exe service where the service executable is registered without proper quoting.
Remediation
Patch available per vendor advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv. Organizations should immediately apply the vendor-released security update and verify the service path is properly quoted in the Windows registry (HKLM\SYSTEM\CurrentControlSet\Services). As an immediate workaround before patching, administrators can manually modify the service registry entry to enclose the executable path in double quotes: '"C:\Program Files (x86)\shttps_mg\http.exe" service'. Additionally, implement access controls to restrict write permissions to the Program Files directories to prevent malicious executable placement, enforce least privilege principles for local user accounts, and audit existing service configurations for similar unquoted path vulnerabilities using tools like Windows Sysinternals AccessChk or PowerShell service enumeration scripts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today