Description
Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Attackers can place executable files in the service path and upon service restart or system reboot, the malicious code executes with LocalSystem privileges.
Published: 2026-04-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Hotspot Shield 6.0.3 installation contains an unquoted service path flaw in its hshld service binary. When the service path is not surrounded by quotation marks, the Windows service launcher can misinterpret the location of the executable and will execute any file placed in that directory. Local attackers can therefore deploy a malicious executable in the service folder and, upon service restart or a system reboot, the code runs with LocalSystem privileges. This elevation grants full control over the machine, allowing an attacker to modify files, install additional software, or exfiltrate data.

Affected Systems

Hotspot Shield version 6.0.3 is affected. The vulnerability is tied to the hshld Windows service that ships with this specific build. No other versions are listed as affected in the CNA data.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity risk. The attack can only be carried out by a local user who can place an executable in the service directory; no remote exploitation vector is described. Because the EPSS score is not available and the issue is not listed in the KEV catalog, the overall likelihood of public exploitation is unknown, but local privilege escalation remains a serious threat if the vulnerability is left unpatched.

Generated by OpenCVE AI on April 4, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hotspot Shield to the latest version or uninstall the hshld service.
  • Restart the service or reboot the system after applying the update to ensure the vulnerability is removed.
  • If an update is not immediately available, disable the hshld service so that no code can execute from its path.
  • Verify that no unauthorized executables exist in the service path directory before re-enabling the service.

Generated by OpenCVE AI on April 4, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Hotspotshield
Hotspotshield hotspot Shield
Vendors & Products Hotspotshield
Hotspotshield hotspot Shield

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Attackers can place executable files in the service path and upon service restart or system reboot, the malicious code executes with LocalSystem privileges.
Title Hotspot Shield 6.0.3 Unquoted Service Path Privilege Escalation
First Time appeared Pango
Pango hotspot Shield
Weaknesses CWE-428
CPEs cpe:2.3:a:pango:hotspot_shield:6.0.3:*:*:*:*:*:*:*
Vendors & Products Pango
Pango hotspot Shield
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hotspotshield Hotspot Shield
Pango Hotspot Shield
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T13:29:02.393Z

Reserved: 2026-04-04T13:43:09.305Z

Link: CVE-2016-20060

cve-icon Vulnrichment

Updated: 2026-04-06T13:28:49.153Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T14:16:18.757

Modified: 2026-04-16T16:15:56.380

Link: CVE-2016-20060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:51Z

Weaknesses