Description
Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots.
Published: 2026-05-16
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service. The missing quotes around the binary path allow a local attacker to place a malicious executable in the directory referenced by the path. When the service restarts or the system reboots, the operating system resolves the path without quoting, executing the attacker‑deployed file with LocalSystem privileges. The resulting escalation grants the attacker complete control of the machine, including the ability to install rootkits, modify system settings, or create persistent backdoors.

Affected Systems

The affected product is Syncplify.me Server!, version 5.0.37, available from Syncplify. The most recent publicly documented version susceptible to this flaw is 5.0.37. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no current widespread exploitation. This flaw is a local privilege escalation, relying on the presence of a local account with the ability to write to the service directory. Once the attacker can place a malicious executable, they can gain system‑level privileges with relatively simple steps, making the risk significant for systems where local user privileges are not tightly constrained.

Generated by OpenCVE AI on May 16, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version of Syncplify.me Server! newer than 5.0.37 that quotes the service path.
  • If a patch cannot be applied immediately, modify the service configuration to enclose the binary path in quotation marks, preventing the operating system from resolving unquoted paths.
  • Restrict write permissions on the directory containing SMWebRestServicev5 so that only the system account can modify its contents, thereby denying local attackers the ability to drop a malicious executable.

Generated by OpenCVE AI on May 16, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots.
Title Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:48.208Z

Reserved: 2026-05-15T13:33:45.700Z

Link: CVE-2020-37230

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:18.920

Modified: 2026-05-16T16:16:18.920

Link: CVE-2020-37230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:45:27Z

Weaknesses