CVE-2016-20086
Received Received - Intake
Unquoted Service Path in Vembu StoreGrid 4.0

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and restart the service to execute code with LocalSystem privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2016-20086
EUVD
EUVD-2016-10899
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vembu storegrid 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the unquoted service path vulnerability in Vembu StoreGrid 4.0 directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services.

This vulnerability allows local attackers to escalate privileges by placing a malicious executable in the unquoted service path.

When the service is restarted, the malicious executable is executed with LocalSystem privileges, giving the attacker elevated control over the system.

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code with LocalSystem privileges.

Such privilege escalation can lead to full control over the affected system, enabling the attacker to install malware, steal data, or disrupt services.

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the affected services, specifically RemoteBackup and RemoteBackup_webServer, on systems running Vembu StoreGrid 4.0.

A common method to detect unquoted service paths is to use the Windows command line to query the service paths and look for unquoted spaces.

  • Run the command: sc qc RemoteBackup
  • Run the command: sc qc RemoteBackup_webServer

Examine the output for service paths that contain spaces but are not enclosed in quotes, which indicates the presence of the unquoted service path vulnerability.

Mitigation Strategies

Immediate mitigation involves correcting the unquoted service paths by enclosing the executable paths of the RemoteBackup and RemoteBackup_webServer services in quotation marks.

Alternatively, ensure that no untrusted or malicious executables exist in the directories along the service path to prevent privilege escalation.

Restart the affected services after applying the fix to ensure the changes take effect.

If possible, apply any official patches or updates provided by Vembu for StoreGrid 4.0 that address this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart