Description
Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Winstep Xtreme Service in version 18.06.0096 registers a service path without quotation marks, enabling a local attacker to place a malicious executable in the Program Files directory. When the service starts, the unquoted path causes the executable to run with LocalSystem privileges, allowing the attacker to gain full system access, modify files, and execute arbitrary code without detection.

Affected Systems

The vulnerability affects the Winstep product (Winstep Xtreme Service) released as version 18.06.0096. Any installation of this specific release is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity risk. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale public exploitation has been reported. The attack vector is local: an attacker who can write to the Program Files directory or otherwise specify a path can trigger the privilege escalation during the service startup.

Generated by OpenCVE AI on June 19, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Winstep Xtreme Service to a patched release that correctly quotes the service path.
  • If no patch is available, disable or set the Winstep Xtreme Service to manual start so that it does not automatically execute code from the Program Files directory.
  • Remove any unauthorized executables from the Program Files directory and enforce strict file permissions to prevent future placement of malicious code.

Generated by OpenCVE AI on June 19, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.
Title Winstep 18.06.0096 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:51.429Z

Reserved: 2026-06-19T14:05:28.110Z

Link: CVE-2020-37253

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element