CVE-2020-37253 | Winstep 18.06.0096 contains an unquoted service path vulnera… | CVSS 7.8 HIGH

Description

Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.

Metadata

CVE ID: CVE-2020-37253
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-19 14:05 UTC
Published: 2026-06-19 14:16 UTC
Last updated: 2026-06-19 14:16 UTC
Primary CWE: CWE-428
Unquoted Search Path or Element
Vendor / Product: Winstep / Winstep
Sources: cve.org · NVD

Severity & Metrics

7.8 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Winstep	Winstep	—	18.06.0096

Weakness (CWE)

CWE	Source	Description
CWE-428	cna	Unquoted Search Path or Element

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.5	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.8	HIGH	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

ExploitDB-49004 https://www.exploit-db.com/exploits/49004
VulnCheck Advisory: Winstep 18.06.0096 Unquoted Service Path Privilege Escalation https://www.vulncheck.com/advisories/winstep-unquoted-service-path-privilege-escalation