CVE-2025-41359
Published: 26 March 2026
Summary
CVE-2025-41359 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Smallsrv Small Http Server. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and correcting flaws like CVE-2025-41359 through timely application of vendor security patches.
Enforces and documents secure configuration settings for system components, including proper quoting of Windows service executable paths to prevent hijacking.
Vulnerability scanning tools detect unquoted service path misconfigurations specific to this CVE for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) directly enables path interception by unquoted path for malicious executable hijacking during service start.
NVD Description
Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher…
more
priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Deeper analysisAI
CVE-2025-41359 is an unquoted service path vulnerability in Small HTTP Server version 3.06.36, specifically impacting the service executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This classic misconfiguration (CWE-428) occurs because the service path lacks proper quotation marks, allowing the Windows service control manager to prioritize executable searches in higher directories within the system path. The vulnerability was published on 2026-03-26 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H), indicating high impact on confidentiality, integrity, and availability.
A local attacker with low privileges can exploit this flaw by placing a malicious executable named 'http.exe' in a directory that takes precedence in the system's PATH environment variable, such as C:\Windows. When the service starts or restarts, it will execute the attacker's binary instead of the legitimate one, enabling arbitrary code execution with the privileges of the service account. Successful exploitation could grant unauthorized system access, privilege escalation, or denial-of-service through service disruption.
Mitigation guidance from advisories, including the INCIBE-CERT notice at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv, recommends quoting the service path correctly in the Windows registry, applying available security patches to update the software, and limiting physical and network access to affected systems to reduce local attack opportunities.
Details
- CWE(s)