CVE-2016-20061
Unquoted Service Path in sheed AntiVirus ShavProt Enables Privilege Escalation
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sheed | antivirus | 2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local attackers to escalate privileges to LocalSystem level, which can lead to unauthorized access, modification, or disruption of sensitive data and system functions.
Such unauthorized privilege escalation and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.
Failure to mitigate this vulnerability could result in violations of these regulations due to increased risk of data breaches or unauthorized system changes.
Can you explain this vulnerability to me?
CVE-2016-20061 is an unquoted service path vulnerability found in sheed AntiVirus version 2.3, specifically in the ShavProt service. Because the service's executable path contains spaces and is not enclosed in quotes, a local attacker can place a malicious executable in a directory path that the system interprets before the legitimate executable.
When the service restarts or the system reboots, the malicious executable is executed with LocalSystem privileges, allowing the attacker to escalate their privileges on the affected system.
How can this vulnerability impact me? :
This vulnerability allows a local attacker with low privileges to escalate their privileges to LocalSystem level by exploiting the unquoted service path in the ShavProt service.
- The attacker can execute arbitrary code with high-level privileges.
- This can lead to full system compromise, including unauthorized access to sensitive data, modification of system files, and disruption of system availability.
- The vulnerability has a high severity rating with a CVSS v4 score of 8.5, indicating significant impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths in the installed services, specifically looking for the ShavProt service related to sheed AntiVirus 2.3.
A common method to detect unquoted service paths is to query the service executable path and verify if it contains spaces without quotes.
- Use the command: sc qc ShavProt
- Check the output for the BINARY_PATH_NAME field; if the path contains spaces and is not enclosed in quotes, the service is vulnerable.
- Alternatively, use PowerShell to find unquoted service paths: Get-WmiObject win32_service | where {$_.PathName -like '* *' -and $_.PathName -notlike '"*"'} | select Name, PathName
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately quote the service executable path to prevent the system from misinterpreting the path and executing malicious code.
Specifically, update the ShavProt service path from an unquoted path like C:\Program Files\Sheed AntiVirus\shgrprot.exe to a quoted path: "C:\Program Files\Sheed AntiVirus\shgrprot.exe".
If quoting the path is not possible immediately, restrict local user permissions to prevent placing malicious executables in directories referenced by the service path.
Additionally, consider restarting the service or the system after applying the fix to ensure the corrected path is used.