Cyber Resilience

CVE-2016-20056

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20056 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Spy Emergency (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-20056 is an unquoted service path vulnerability affecting Spy Emergency build 23.0.205, specifically in the SpyEmrgHealth and SpyEmrgSrv Windows services. This flaw, classified under CWE-428, arises when the service binaries are referenced with unquoted paths containing spaces, enabling local privilege escalation. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Local attackers with low-privilege access can exploit this vulnerability by placing malicious executable files in directories along the unquoted service path. By triggering a service restart or system reboot, the services execute the attacker's code with LocalSystem privileges, allowing full system compromise from an initial low-privilege foothold.

Advisories, such as the one from VulnCheck and an Exploit-DB proof-of-concept (exploit 40550), detail the issue but do not specify patches in available information. Security practitioners should check the vendor site at spy-emergency.com or its download page for updates, as no mitigation details are provided in the CVE description.

A public exploit is available on Exploit-DB, indicating potential for real-world local privilege escalation attacks on affected systems.

EU & UK References

Vulnerability details

Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious executables. Attackers can place executable files in the unquoted service path and trigger service…

more

restart or system reboot to execute code with LocalSystem privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path (CWE-428) in Windows services directly enables T1574.009 Path Interception by Unquoted Path, allowing low-privileged local attackers to place a malicious executable for LocalSystem execution on service start.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428
CVE-2021-47790Shared CWE-428

Affected Assets

Spy Emergency
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces secure configuration settings for services, including quoted executable paths in registry keys, directly preventing exploitation of unquoted service path vulnerabilities like CVE-2016-20056.

preventrecover

Mandates timely flaw remediation through patching or reconfiguration of vulnerable services such as SpyEmrgHealth and SpyEmrgSrv, addressing the specific unquoted path issue.

prevent

Applies least privilege to service accounts, limiting the impact of privilege escalation even if a malicious executable is launched via the unquoted service path.

References