CVE-2016-20061
Published: 04 April 2026
Summary
CVE-2016-20061 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Sheedantivirus (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2016-20061 is an unquoted service path vulnerability affecting sheed AntiVirus version 2.3, specifically in the ShavProt service. The issue arises from the service binary path lacking proper quotation, enabling local attackers to escalate privileges. By placing a malicious executable in an intermediate directory along the unquoted path, attackers can hijack the service execution upon restart.
Local low-privileged users (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N). Upon inserting the malicious executable and triggering a service restart or system reboot, the payload executes with LocalSystem privileges, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.8, with no scope change (S:U).
Advisories and references, including those from VulnCheck and Exploit-DB (exploit 40497), document the vulnerability and provide proof-of-concept details. The vendor site (sheedantivirus.ir) and setup executable are also referenced, though no specific patch details are outlined in the available information. Practitioners should verify service paths and apply updates if available from the vendor.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10871
Vulnerability details
sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart…
more
or system reboot to execute code with LocalSystem privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in ShavProt directly enables path interception by placing executable in intermediate directory for service hijack on restart.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
CM-6 mandates secure configuration settings for services, including properly quoted binary paths, directly preventing privilege escalation via path hijacking in CVE-2016-20061.
SI-2 requires identification and correction of flaws like the unquoted service path in sheed AntiVirus, mitigating the vulnerability through remediation.
RA-5 employs vulnerability scanning to detect unquoted service path issues specific to CVE-2016-20061 in the ShavProt service.