CVE-2016-20056
Published: 04 April 2026
Summary
CVE-2016-20056 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Spy Emergency (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2016-20056 is an unquoted service path vulnerability affecting Spy Emergency build 23.0.205, specifically in the SpyEmrgHealth and SpyEmrgSrv Windows services. This flaw, classified under CWE-428, arises when the service binaries are referenced with unquoted paths containing spaces, enabling local privilege escalation. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
Local attackers with low-privilege access can exploit this vulnerability by placing malicious executable files in directories along the unquoted service path. By triggering a service restart or system reboot, the services execute the attacker's code with LocalSystem privileges, allowing full system compromise from an initial low-privilege foothold.
Advisories, such as the one from VulnCheck and an Exploit-DB proof-of-concept (exploit 40550), detail the issue but do not specify patches in available information. Security practitioners should check the vendor site at spy-emergency.com or its download page for updates, as no mitigation details are provided in the CVE description.
A public exploit is available on Exploit-DB, indicating potential for real-world local privilege escalation attacks on affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10863
Vulnerability details
Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious executables. Attackers can place executable files in the unquoted service path and trigger service…
more
restart or system reboot to execute code with LocalSystem privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) in Windows services directly enables T1574.009 Path Interception by Unquoted Path, allowing low-privileged local attackers to place a malicious executable for LocalSystem execution on service start.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for services, including quoted executable paths in registry keys, directly preventing exploitation of unquoted service path vulnerabilities like CVE-2016-20056.
Mandates timely flaw remediation through patching or reconfiguration of vulnerable services such as SpyEmrgHealth and SpyEmrgSrv, addressing the specific unquoted path issue.
Applies least privilege to service accounts, limiting the impact of privilege escalation even if a malicious executable is launched via the unquoted service path.