Description
IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the service path and trigger privilege escalation when the service restarts or the system reboots, executing code with LocalSystem privileges.
Published: 2026-04-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to LocalSystem
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an unquoted service path in the AdvancedSystemCareService10 service of IObit Advanced SystemCare 10.0.2. Because the service path is not surrounded by quotation marks, an attacker can place a malicious executable in the directory path before the intended executable and the service will launch the attacker’s code when it starts. The code then runs with LocalSystem privileges, giving the attacker full control over the machine.

Affected Systems

The affected product is IObit Advanced SystemCare, specifically version 10.0.2, as listed in the official CNA documentation. No other versions are explicitly noted as vulnerable in the provided data.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity, while the EPSS score of less than 1% suggests that the attack is unlikely to be seen widely in the wild. The vulnerability is not in the CISA KEV catalog. The likely attack vector is local; an attacker with local access can place a malicious executable in the service path or edit the registry entry, then restart the service or the system for the malicious code to run as LocalSystem.

Generated by OpenCVE AI on April 14, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official update from IObit that patches the AdvancedSystemCareService10 service path.
  • If an update is not immediately available, disable or remove the AdvancedSystemCareService10 service to prevent execution of malicious code.
  • Limit local user permissions so that only trusted accounts can modify the service executable or registry entries.
  • Monitor the system for unexpected executable placement in the service path directory.

Generated by OpenCVE AI on April 14, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Iobit advanced System Care
CPEs cpe:2.3:a:iobit:advanced_system_care:*:*:*:*:free:*:*:*
Vendors & Products Iobit advanced System Care

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the service path and trigger privilege escalation when the service restarts or the system reboots, executing code with LocalSystem privileges.
Title IObit Advanced SystemCare 10.0.2 Unquoted Service Path Privilege Escalation
First Time appeared Iobit
Iobit advanced Systemcare
Iobit advanced Systemcare Ultimate
Weaknesses CWE-428
CPEs cpe:2.3:a:iobit:advanced_systemcare:13.2:*:*:*:*:windows:*:*
cpe:2.3:a:iobit:advanced_systemcare:13.5.0.263:*:*:*:free:*:*:*
cpe:2.3:a:iobit:advanced_systemcare:15:*:*:*:free:*:*:*
cpe:2.3:a:iobit:advanced_systemcare:15:*:*:*:pro:*:*:*
cpe:2.3:a:iobit:advanced_systemcare_ultimate:-:*:*:*:*:*:*:*
cpe:2.3:a:iobit:advanced_systemcare_ultimate:10.0.2:*:*:*:*:*:*:*
cpe:2.3:a:iobit:advanced_systemcare_ultimate:14.2.0.220:*:*:*:*:*:*:*
cpe:2.3:a:iobit:advanced_systemcare_ultimate:17.0.0:*:*:*:*:*:*:*
Vendors & Products Iobit
Iobit advanced Systemcare
Iobit advanced Systemcare Ultimate
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Iobit Advanced System Care Advanced Systemcare Advanced Systemcare Ultimate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:42:28.084Z

Reserved: 2026-04-04T13:37:50.146Z

Link: CVE-2016-20055

cve-icon Vulnrichment

Updated: 2026-04-06T15:42:22.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:17.863

Modified: 2026-04-14T19:09:27.900

Link: CVE-2016-20055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses