CVE-2016-20086
Deferred Deferred - Pending Action

Unquoted Service Path in Vembu StoreGrid 4.0

Vulnerability report for CVE-2016-20086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and restart the service to execute code with LocalSystem privileges.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-10
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vembu storegrid 4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services.

This vulnerability allows local attackers to escalate privileges by placing a malicious executable in the unquoted service path.

When the service is restarted, the malicious executable is executed with LocalSystem privileges, giving the attacker elevated control over the system.

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code with LocalSystem privileges.

Such privilege escalation can lead to full control over the affected system, enabling the attacker to install malware, steal data, or disrupt services.

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the affected services, specifically RemoteBackup and RemoteBackup_webServer, on systems running Vembu StoreGrid 4.0.

A common method to detect unquoted service paths is to use the Windows command line to query the service paths and look for unquoted spaces.

  • Run the command: sc qc RemoteBackup
  • Run the command: sc qc RemoteBackup_webServer

Examine the output for service paths that contain spaces but are not enclosed in quotes, which indicates the presence of the unquoted service path vulnerability.

Mitigation Strategies

Immediate mitigation involves correcting the unquoted service paths by enclosing the executable paths of the RemoteBackup and RemoteBackup_webServer services in quotation marks.

Alternatively, ensure that no untrusted or malicious executables exist in the directories along the service path to prevent privilege escalation.

Restart the affected services after applying the fix to ensure the changes take effect.

If possible, apply any official patches or updates provided by Vembu for StoreGrid 4.0 that address this vulnerability.

Compliance Impact

The provided information does not specify how the unquoted service path vulnerability in Vembu StoreGrid 4.0 directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart