Cyber Resilience

CVE-2016-20058

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0072 49.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20058 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Netgate Amiti Antivirus. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-20058 is an unquoted service path vulnerability affecting Netgate AMITI Antivirus build 23.0.305, specifically in the AmitiAvSrv and AmitiAntivirusHealth services. This issue, mapped to CWE-428, allows local attackers to escalate privileges by exploiting the lack of quotes around the service binary path in the Windows registry. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low complexity and requiring only local access and low privileges.

Local attackers with existing low-privilege access on the system can exploit this by placing a malicious executable in a directory that precedes the legitimate service binary in the system's PATH search order. By triggering a service restart or system reboot, the malicious executable executes with LocalSystem privileges, potentially granting full control over the system, including high confidentiality, integrity, and availability impacts.

Advisories and references include a detailed write-up from VulnCheck on the unquoted service path privilege escalation, an exploit published on Exploit-DB (ID 40540), and links to the vendor site at netgate.sk along with a potential download page. No specific patch details are outlined in the provided information, but security practitioners should check vendor resources for updates to affected builds.

EU & UK References

Vulnerability details

Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted service path and trigger service restart or…

more

system reboot to execute code with LocalSystem privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path in Windows services directly enables path interception for privilege escalation to LocalSystem.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20057Same vendor: Netgate
CVE-2022-50914Shared CWE-428
CVE-2020-36982Shared CWE-428
CVE-2020-36987Shared CWE-428
CVE-2021-47825Shared CWE-428
CVE-2020-37059Shared CWE-428
CVE-2020-36953Shared CWE-428
CVE-2022-50935Shared CWE-428
CVE-2021-47864Shared CWE-428
CVE-2020-37060Shared CWE-428

Affected Assets

netgate
amiti antivirus
≤ 23.0.305

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the unquoted service path in the affected antivirus services to prevent privilege escalation.

prevent

Mandates secure configuration settings for system components, including properly quoting service executable paths in the Windows registry to block path hijacking by malicious executables.

prevent

Enforces least privilege for processes and services, limiting the privileges obtainable via hijacking the vulnerable antivirus services even if escalation occurs.

References