CVE-2019-25308
Published: 11 February 2026
Summary
CVE-2019-25308 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Mikogo Mikogo. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
CM-6 mandates secure configuration settings for Windows services, including properly quoted binary paths, directly preventing exploitation of unquoted service path vulnerabilities like CVE-2019-25308.
SI-2 requires identification, reporting, and correction of system flaws such as the unquoted path in Mikogo-Service, eliminating the vulnerability through timely remediation.
CM-2 establishes and maintains baseline configurations that specify secure service paths without unquoted vulnerabilities, ensuring Mikogo-Service is deployed correctly.
NVD Description
Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific path locations.
Deeper analysisAI
CVE-2019-25308 is an unquoted service path vulnerability in the Mikogo-Service Windows service configuration within Mikogo version 5.2.2.150317. This issue, mapped to CWE-428, allows attackers to exploit the unquoted path by placing executable files in specific locations, enabling code injection and execution with LocalSystem privileges. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with minimal complexity and no user interaction required. By dropping malicious executables in the expected unquoted path directories, the attacker tricks the service into executing their code upon startup or restart, achieving high-impact confidentiality, integrity, and availability effects, including potential full system compromise under LocalSystem context.
Advisories, including the Vulncheck advisory on the Mikogo-Service unquoted service path and an Exploit-DB entry (47510) demonstrating the exploit, highlight the configuration flaw but do not specify patches or vendor mitigations in the available references. A Tucows preview page for Mikogo provides additional software context. Security practitioners should verify service path configurations and consider removing or updating legacy Mikogo installations.
Details
- CWE(s)