Description
Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts.
Published: 2026-05-16
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kite 4.2.0.1 U1 contains an unquoted service path in the Windows service that can be manipulated by a local user. When the service starts, the system attempts to execute the binary in the Program Files directory without surrounding quotes, allowing a malicious executable with the same name to run with LocalSystem privileges. This flaw provides a local privilege escalation capability and could be used to take control of the affected machine. The weakness is identified as a CWE‑428 unquoted service path issue.

Affected Systems

The vulnerability affects the Kite software product from Kite. All installations utilizing the KiteService on a Windows machine with a service binary path residing in the default Program Files directory are susceptible. No specific version list is provided beyond the mention of 4.2.0.1 U1; therefore any deployment of that release should be reviewed.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity impact. The issue is not listed in the CISA KEV catalog. Attackers would require local access and the ability to place a file in the Program Files folder or modify the service path. Once the malicious binary runs with LocalSystem privileges when the service starts, the attacker can fully compromise the host.

Generated by OpenCVE AI on May 16, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kite to the latest released version that properly quotes the service path in its service configuration.
  • If an update is unavailable, edit the service properties in the Windows registry to enclose the binary path in double quotes or relocate the executable to a directory that does not conflict with the default service path.
  • Temporarily disable or stop the KiteService until a patched version is deployed to prevent automatic execution of the malicious binary.

Generated by OpenCVE AI on May 16, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Kite
Kite kite
Vendors & Products Kite
Kite kite

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts.
Title Kite 4.2.0.1 U1 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Kite Kite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:02.268Z

Reserved: 2026-05-16T14:54:10.515Z

Link: CVE-2020-37247

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:21.123

Modified: 2026-05-16T16:16:21.123

Link: CVE-2020-37247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:00:13Z

Weaknesses