Description
Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots.
Published: 2026-05-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service. The missing quotes around the binary path allow a local attacker to place a malicious executable in the directory referenced by the path. When the service restarts or the system reboots, the operating system resolves the path without quoting, executing the attacker‑deployed file with LocalSystem privileges. The resulting escalation grants the attacker complete control of the machine, including the ability to install rootkits, modify system settings, or create persistent backdoors.

Affected Systems

The affected product is Syncplify.me Server!, version 5.0.37, available from Syncplify. The most recent publicly documented version susceptible to this flaw is 5.0.37. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no current widespread exploitation. This flaw is a local privilege escalation, relying on the presence of a local account with the ability to write to the service directory. Once the attacker can place a malicious executable, they can gain system‑level privileges with relatively simple steps, making the risk significant for systems where local user privileges are not tightly constrained.

Generated by OpenCVE AI on May 16, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version of Syncplify.me Server! newer than 5.0.37 that quotes the service path.
  • If a patch cannot be applied immediately, modify the service configuration to enclose the binary path in quotation marks, preventing the operating system from resolving unquoted paths.
  • Restrict write permissions on the directory containing SMWebRestServicev5 so that only the system account can modify its contents, thereby denying local attackers the ability to drop a malicious executable.

Generated by OpenCVE AI on May 16, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Syncplify
Syncplify syncplify.me Server!
Vendors & Products Syncplify
Syncplify syncplify.me Server!

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots.
Title Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Syncplify Syncplify.me Server!
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T12:58:40.043Z

Reserved: 2026-05-15T13:33:45.700Z

Link: CVE-2020-37230

cve-icon Vulnrichment

Updated: 2026-05-18T12:58:35.869Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-16T16:16:18.920

Modified: 2026-05-18T20:16:05.873

Link: CVE-2020-37230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:56Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element