CVE-2017-20218
Published: 16 March 2026
Summary
CVE-2017-20218 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Securiteam (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2017-20218 is an unquoted search path vulnerability (CWE-428) in the Windows service of Serviio PRO 1.8. This flaw allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions provide full access to the Users group, enabling authenticated users to replace the service's executable file with arbitrary binaries.
The vulnerability can be exploited by local authenticated users requiring low privileges (PR:L), with low attack complexity (AC:L) and no user interaction (UI:N). Attackers can achieve privilege escalation by leveraging the unquoted path during service startup or system reboot, resulting in high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8; AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Advisories and proof-of-concept exploits are available from sources including Securiteam, CXSecurity, IBM X-Force Exchange, PacketStorm Security, and Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-18930
Vulnerability details
Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access…
more
for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) directly enables T1574.009 path interception; weak directory permissions on the service binary enable T1574.010 service file permissions weakness; both result in local privilege escalation matching T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Establishes and enforces secure configuration settings for Windows services, including quoted executable paths and restrictive directory permissions to directly prevent exploitation via unquoted search paths or unauthorized file replacement.
Restricts and authorizes access to change service executables and directories, blocking low-privileged users from replacing binaries with malicious ones.
Verifies and monitors the integrity of service executables, identifying unauthorized modifications or replacements that exploit improper permissions.