Cyber Resilience

CVE-2017-20218

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2017-20218 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Securiteam (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2017-20218 is an unquoted search path vulnerability (CWE-428) in the Windows service of Serviio PRO 1.8. This flaw allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions provide full access to the Users group, enabling authenticated users to replace the service's executable file with arbitrary binaries.

The vulnerability can be exploited by local authenticated users requiring low privileges (PR:L), with low attack complexity (AC:L) and no user interaction (UI:N). Attackers can achieve privilege escalation by leveraging the unquoted path during service startup or system reboot, resulting in high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8; AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories and proof-of-concept exploits are available from sources including Securiteam, CXSecurity, IBM X-Force Exchange, PacketStorm Security, and Exploit-DB.

EU & UK References

Vulnerability details

Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access…

more

for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Why these techniques?

Unquoted service path (CWE-428) directly enables T1574.009 path interception; weak directory permissions on the service binary enable T1574.010 service file permissions weakness; both result in local privilege escalation matching T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-50914Shared CWE-428
CVE-2020-36982Shared CWE-428
CVE-2020-36987Shared CWE-428
CVE-2021-47825Shared CWE-428
CVE-2020-37059Shared CWE-428
CVE-2020-36953Shared CWE-428
CVE-2022-50935Shared CWE-428
CVE-2021-47864Shared CWE-428
CVE-2020-37060Shared CWE-428
CVE-2019-25308Shared CWE-428

Affected Assets

Securiteam
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for Windows services, including quoted executable paths and restrictive directory permissions to directly prevent exploitation via unquoted search paths or unauthorized file replacement.

prevent

Restricts and authorizes access to change service executables and directories, blocking low-privileged users from replacing binaries with malicious ones.

detect

Verifies and monitors the integrity of service executables, identifying unauthorized modifications or replacements that exploit improper permissions.

References