CVE-2017-20218

Summary

Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.

Affected Software

VendorProductVersion RangeStatus
ServiioServiio PRO1.8.0.0 PROaffected
ServiioServiio PRO1.7.1affected
ServiioServiio PRO1.7.0affected
ServiioServiio PRO1.6.1affected

Weaknesses

  • CWE-428: Unquoted Search Path or Element

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References