CVE-2016-20091
Received Received - Intake
Unquoted Service Path in Windows Firewall Control 4.8.6.0

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2016-20091
EUVD
EUVD-2016-10904
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
binisoft windows_firewall_control 4.8.6.0
bini_soft windows_firewall_control 4.8.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows a local attacker to escalate their privileges to LocalSystem level by placing a malicious executable in an unquoted service path directory.

With elevated privileges, the attacker can execute code with high-level system permissions, potentially leading to full system compromise, unauthorized access to sensitive data, or disruption of system operations.

Executive Summary

This vulnerability is an unquoted service path issue in Windows Firewall Control version 4.8.6.0. Because the service's executable path is not enclosed in quotation marks, a local attacker can place a malicious executable file in a directory along the service path that contains spaces in its name.

When the wfcs.exe service restarts or the system reboots, the service may execute the malicious executable with LocalSystem privileges, allowing the attacker to escalate their privileges on the affected system.

Detection Guidance

This vulnerability can be detected by checking the service path of the wfcs.exe service for unquoted spaces. If the service executable path contains spaces and is not enclosed in quotation marks, it is vulnerable to privilege escalation.

A common method to detect unquoted service paths on Windows is to use the command line to query the service configuration and inspect the ImagePath value.

  • Run the command: sc qc wfcs
  • Check the output for the BINARY_PATH_NAME field and verify if the path contains spaces without surrounding quotes.
  • Alternatively, use PowerShell to list all services with unquoted paths: Get-WmiObject win32_service | where {$_.pathname -like '* *' -and $_.pathname -notlike '"*"'} | select name, pathname
Mitigation Strategies

To mitigate this vulnerability, immediately ensure that the service executable path is enclosed in quotation marks to prevent execution of malicious files placed in the service path.

You can edit the service configuration to add quotes around the executable path or update the software to a version where this issue is fixed.

  • Use the command: sc config wfcs binPath= """C:\Path To\wfcs.exe""" (adjusting the path as necessary) to add quotes around the service path.
  • Restart the service or reboot the system after applying the fix.

Additionally, restrict local user permissions to prevent unauthorized users from placing executables in directories listed in the service path.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart