Description
Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and restart the service to execute code with LocalSystem privileges.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vembu StoreGrid 4.0 has an unquoted service path in the RemoteBackup and RemoteBackup_webServer services. A local attacker can place a malicious executable where the service path references an unquoted directory and then restart the service. On restart, the executable runs with LocalSystem privileges, allowing the attacker to gain full control of the host. The flaw is classified as CWE-428, an unquoted service path weakness.

Affected Systems

Vembu StoreGrid version 4.0 is affected. The vulnerability exists in the RemoteBackup and RemoteBackup_webServer services, which run under the LocalSystem account and are installed with unquoted paths.

Risk and Exploitability

The CVSS score is 8.5, indicating high severity, and the exploit probability is not publicly available. The vulnerability is not listed in the CISA KEV catalog. Attackers must have local access to the system to place the malicious file and reload the service, so the attack vector is local. Once executed, the attacker can gain full system privileges.

Generated by OpenCVE AI on June 19, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's official patch or update to the latest StoreGrid release to eliminate the unquoted service path.
  • Modify the service executable paths by surrounding them with quotes in the Windows Service configuration or by reinstalling the service with a quoted path.
  • Remove or disable the RemoteBackup and RemoteBackup_webServer services if they are not required, or restrict user permissions so that only trusted accounts can stop and restart these services.

Generated by OpenCVE AI on June 19, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and restart the service to execute code with LocalSystem privileges.
Title Vembu StoreGrid 4.0 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:41.759Z

Reserved: 2026-06-19T13:14:57.984Z

Link: CVE-2016-20086

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:12Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element