EUVD-2025-209046
GHSA-gm55-992f-6xm4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Analysis
Small HTTP Server 3.06.36 contains an unquoted service path vulnerability (CWE-428) allowing local authenticated attackers to execute arbitrary code with elevated privileges by placing malicious executables in higher-priority directories. Despite a CVSS 4.0 score of 8.7, real-world risk is significantly lower with only 0.02% EPSS probability (4th percentile) and no public exploit identified at time of analysis. INCIBE has reported this vulnerability with patches available from the vendor.
Technical Context
This vulnerability affects Small HTTP Server version 3.06.36 (CPE: cpe:2.3:a:smallsrv:small_http:*:*:*:*:*:*:*:*), specifically the service executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. The root cause is CWE-428 (Unquoted Search Path or Element), a classic Windows service misconfiguration where the absence of quotation marks around service paths containing spaces allows the Windows service control manager to interpret space-delimited segments as separate executables. For example, the system might attempt to execute 'C:\Program.exe' or 'C:\Program Files (x86)\shttps_mg\http.exe' before reaching the intended binary, enabling attackers with write permissions to intermediate directories to achieve privilege escalation through DLL hijacking or direct executable replacement.
Affected Products
Small HTTP Server version 3.06.36 is confirmed affected according to INCIBE-CERT reporting and ENISA EUVD-2025-209046. The vulnerability is tracked under CPE identifier cpe:2.3:a:smallsrv:small_http:*:*:*:*:*:*:*:* with the specific vulnerable version being 3.06.36. The affected component is the HTTP service executable installed at 'C:\Program Files (x86)\shttps_mg\http.exe service'. Full vulnerability details and vendor patch information are available in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41368.
Remediation
Patch available per vendor advisory from INCIBE-CERT at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv. The primary remediation is to upgrade Small HTTP Server to a patched version that properly quotes the service executable path in the Windows registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). Until patching is possible, implement compensating controls including restricting write permissions to 'C:\Program Files (x86)' and subdirectories to only SYSTEM and Administrators groups, auditing file creation events in these directories, and limiting physical and network access to the affected systems. Organizations should verify the service path has been corrected by inspecting the registry key and ensuring the ImagePath value contains quotes around the full executable path including spaces.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today