Cyber Resilience

CVE-2016-20059

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20059 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Iobit Malware Fighter. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2016-20059 is an unquoted service path vulnerability affecting IObit Malware Fighter version 4.3.1, specifically in the IMFservice and LiveUpdateSvc Windows services. This flaw, classified under CWE-428, arises when the service executable paths are not properly quoted, enabling local privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low complexity and low privileges required.

Local attackers with low-level privileges can exploit this vulnerability by placing a malicious executable in a directory along the unquoted service path. When the affected service restarts or the system reboots, the malicious executable executes with LocalSystem privileges, allowing full control over the system, including high confidentiality, integrity, and availability impacts.

Advisories and resources, including the Vulncheck advisory on the IObit Malware Fighter unquoted service path privilege escalation and an Exploit-DB entry (exploit 40525), detail the issue and provide proof-of-concept exploitation. IObit product pages offer downloads for Malware Fighter, potentially including updated versions, though specific patch details are not outlined in the provided references.

EU & UK References

Vulnerability details

IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Attackers can insert a malicious executable file in the unquoted service path and trigger privilege escalation when…

more

the service restarts or the system reboots, executing code with LocalSystem privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path in IMFservice/LiveUpdateSvc directly enables path interception by unquoted path (T1574.009) for local privilege escalation to LocalSystem.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20055Same vendor: Iobit
CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428

Affected Assets

iobit
malware fighter
≤ 4.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 enforces secure configuration settings for system components, directly preventing exploitation by requiring properly quoted executable paths in services like IMFservice and LiveUpdateSvc.

prevent

SI-2 requires timely identification, reporting, and correction of flaws such as the unquoted service path vulnerability in IObit Malware Fighter, eliminating the privilege escalation risk.

detect

RA-5 vulnerability scanning identifies unquoted service path vulnerabilities in Windows services like IMFservice and LiveUpdateSvc, enabling detection and prioritization for remediation.

References