Description
NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or system reboot, resulting in privilege escalation.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NetDrive 2.6.12 has an unquoted service path in the Netdrive2_Service_Netdrive2 service. Because the executable path is not surrounded by quotation marks, the Windows service loader may misinterpret the path, allowing a local user to place a malicious executable in the system root directory; the service will launch it with SYSTEM privileges during startup or reboot, giving the attacker full control of the machine. The weakness is a classic unquoted service path flaw (CWE-428) that enables arbitrary code execution with elevated rights.

Affected Systems

The affected product is NetDrive, version 2.6.12. It is distributed by NetDrive. No other versions or platforms are listed.

Risk and Exploitability

The CVSS score of 8.5 indicates severe risk, while the EPSS score is unavailable and the vulnerability is not listed in CISA KEV. The likely attack vector is local: a user who can run programs on the machine may create the malicious file in the system root directory or gain write access to the root path. Once the service restsarts or the system reboots, the attacker’s code runs with SYSTEM privileges, enabling full control, data tampering, and persistence.

Generated by OpenCVE AI on June 19, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest NetDrive release that includes a quoted service path.
  • Modify the service configuration to quote the executable path or reference a non‑writable directory.
  • Restrict local user permissions by denying write access to the system root directory.
  • Set ACLs on the system root folder to allow write access only for administrators.

Generated by OpenCVE AI on June 19, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or system reboot, resulting in privilege escalation.
Title NetDrive 2.6.12 Unquoted Service Path Elevation of Privilege
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:45.861Z

Reserved: 2026-06-19T13:23:47.911Z

Link: CVE-2016-20092

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:45:03Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element