Cyber Resilience

CVE-2016-20061

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 2.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20061 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Sheedantivirus (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2016-20061 is an unquoted service path vulnerability affecting sheed AntiVirus version 2.3, specifically in the ShavProt service. The issue arises from the service binary path lacking proper quotation, enabling local attackers to escalate privileges. By placing a malicious executable in an intermediate directory along the unquoted path, attackers can hijack the service execution upon restart.

Local low-privileged users (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N). Upon inserting the malicious executable and triggering a service restart or system reboot, the payload executes with LocalSystem privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.8, with no scope change (S:U).

Advisories and references, including those from VulnCheck and Exploit-DB (exploit 40497), document the vulnerability and provide proof-of-concept details. The vendor site (sheedantivirus.ir) and setup executable are also referenced, though no specific patch details are outlined in the available information. Practitioners should verify service paths and apply updates if available from the vendor.

EU & UK References

Vulnerability details

sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart…

more

or system reboot to execute code with LocalSystem privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted service path in ShavProt directly enables path interception by placing executable in intermediate directory for service hijack on restart.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36928Shared CWE-428
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-36929Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428
CVE-2021-47790Shared CWE-428

Affected Assets

Sheedantivirus
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 mandates secure configuration settings for services, including properly quoted binary paths, directly preventing privilege escalation via path hijacking in CVE-2016-20061.

preventrecover

SI-2 requires identification and correction of flaws like the unquoted service path in sheed AntiVirus, mitigating the vulnerability through remediation.

detect

RA-5 employs vulnerability scanning to detect unquoted service path issues specific to CVE-2016-20061 in the ShavProt service.

References