CVE-2020-37253 PUBLISHED

Winstep 18.06.0096 Unquoted Service Path Privilege Escalation

Assigner: VulnCheck
Reserved: 19.06.2026 Published: 19.06.2026 Updated: 19.06.2026

Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Product Status

Vendor Winstep
Product Winstep
Versions
  • Version 18.06.0096 is affected

References

Problem Types

  • Unquoted Search Path or Element CWE