Cyber Resilience

CVE-2016-20055

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20055 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Iobit Advanced System Care. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-20055 is an unquoted service path vulnerability in IObit Advanced SystemCare version 10.0.2, specifically affecting the AdvancedSystemCareService10 Windows service. The issue, classified under CWE-428, arises because the service binary path is not properly quoted, allowing local attackers to escalate privileges. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity for local users.

A local attacker with low privileges can exploit this by placing a malicious executable in a directory that precedes the legitimate service binary in the Windows search path, such as within the parent directories of the service's path. When the AdvancedSystemCareService10 restarts or the system reboots, the service launcher executes the malicious binary instead, running it with LocalSystem privileges and enabling full system compromise, including arbitrary code execution with high confidentiality, integrity, and availability impacts.

Advisories from VulnCheck detail the unquoted service path privilege escalation, while Exploit-DB hosts a public exploit (ID 40577) demonstrating the attack. References to IObit product pages, including the Advanced SystemCare free download, are provided, but specific patch or mitigation instructions from the vendor are not detailed in the CVE information.

EU & UK References

Vulnerability details

IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the service path and trigger privilege escalation when the service restarts or…

more

the system reboots, executing code with LocalSystem privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path (CWE-428) in Windows service directly enables path interception by unquoted path for privilege escalation to LocalSystem.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20059Same vendor: Iobit
CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428

Affected Assets

iobit
advanced system care
≤ 10.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the unquoted service path vulnerability in AdvancedSystemCareService10 to prevent local privilege escalation.

prevent

Enforces secure configuration settings for Windows services, including properly quoted binary paths, directly preventing exploitation of unquoted service path vulnerabilities.

prevent

Applies least privilege to services like AdvancedSystemCareService10, limiting the damage from privilege escalation even if the unquoted path is exploited.

References