CVE-2016-20057
Published: 04 April 2026
Summary
CVE-2016-20057 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Netgate Registry Cleaner. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2016-20057 affects NETGATE Registry Cleaner build 16.0.205, specifically an unquoted service path vulnerability in the NGRegClnSrv service. This configuration flaw in the service binary path enables local privilege escalation, as documented with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-428.
A local attacker with low privileges can exploit this vulnerability by placing a malicious executable in the unquoted path parsed by the service. Triggering a service restart or system reboot then executes the malicious code with LocalSystem privileges, potentially granting full system compromise.
Advisories and related resources, including the vendor site at http://www.netgate.sk/ and a download page at http://www.netgate.sk/download/download.php?id=4, provide context on the issue. A proof-of-concept exploit is available at https://www.exploit-db.com/exploits/40539, and further details appear in the VulnCheck advisory at https://www.vulncheck.com/advisories/netgate-registry-cleaner-build-unquoted-service-path-privilege-escalation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10864
Vulnerability details
NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the unquoted path and trigger…
more
service restart or system reboot to execute code with LocalSystem privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in Windows service directly enables path interception for privilege escalation via malicious binary placement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates secure configuration settings for system components, including properly quoting service executable paths to prevent exploitation of unquoted paths.
Requires identification, reporting, and timely correction of system flaws, directly addressing configuration vulnerabilities like unquoted service paths.
Enforces least privilege for processes such as services, reducing the privilege level gained from exploiting the unquoted path vulnerability.