Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.
AnalysisAI
Local privilege escalation in CivetWeb v1.16 service allows authenticated users to execute arbitrary code with SYSTEM privileges via unquoted service path exploitation. The Windows service configuration lacks quotes around 'C:\Program Files\CivetWeb\CivetWeb.exe', enabling attackers to place malicious executables in directories scanned before the intended path (e.g., 'C:\Program.exe' or 'C:\Program Files\CivetWeb.exe'). No public exploit identified at time of analysis, though EPSS data not available. Patch available per vendor advisory from INCIBE.
Technical ContextAI
CivetWeb is an embedded C/C++ web server library commonly deployed as a Windows service. This vulnerability exploits CWE-428 (Unquoted Search Path or Element), a Windows-specific configuration flaw in service registry entries. When Windows executes a service path containing spaces without surrounding quotes, the Service Control Manager parses the path incorrectly, treating each space-separated token as a potential executable path. For 'C:\Program Files\CivetWeb\CivetWeb.exe', Windows attempts execution in order: 'C:\Program.exe', 'C:\Program Files\CivetWeb.exe', then the intended path. The CPE identifier (cpe:2.3:a:civetweb:civetweb:*:*:*:*:*:*:*:*) indicates the core CivetWeb library is affected across versions, though the description specifically identifies v1.16. This is a classic Windows privilege escalation primitive that requires write access to system directories, typically restricted to administrators but exploitable in misconfigured environments or through chained attacks.
RemediationAI
Vendor-released patch available per INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/search-path-without-quotes-civetweb - consult advisory for exact patched version and upgrade instructions. Primary fix: Upgrade CivetWeb to the patched version that correctly quotes the service executable path in registry configuration. Manual workaround (if immediate patching infeasible): Modify the Windows service registry entry to add quotes around the executable path using 'sc config [ServiceName] binPath= "C:\Program Files\CivetWeb\CivetWeb.exe"' from elevated command prompt, then restart service. Compensating control: Audit and restrict write permissions on C:\ and C:\Program Files\ directories to Administrators group only (remove write access for Users, Power Users groups) using icacls or Group Policy - trade-off is this may break legacy applications expecting lax permissions. Verify fix by checking registry key HKLM\SYSTEM\CurrentControlSet\Services\[CivetWebServiceName]\ImagePath contains quoted path. Organizations not using CivetWeb as a Windows service are not affected and require no action.
Same weakness CWE-428 – Unquoted Search Path or Element
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24138
GHSA-9vxj-j2f7-9mgg