{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2016-20061/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2016-20061"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","unquoted-service-path","cve-2016-20061"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSheed AntiVirus 2.3 is vulnerable to an unquoted service path vulnerability (CVE-2016-20061) affecting the ShavProt service. This vulnerability, disclosed in April 2026, allows a local attacker with limited privileges to escalate their privileges to SYSTEM. The attack involves placing a malicious executable in a directory within the unquoted service path. When the ShavProt service starts (either through a service restart or system reboot), it attempts to execute binaries along the unquoted path. If the attacker-controlled malicious executable is encountered first, it will be executed with LocalSystem privileges. This poses a significant risk as it allows attackers to gain complete control over the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the unquoted service path for the ShavProt service in Sheed AntiVirus 2.3. This path is typically found in the Windows Registry under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\ShavProt\\ImagePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable (e.g., \u003ccode\u003eevil.exe\u003c/code\u003e) designed to perform actions with elevated privileges (e.g., creating a new administrator account or disabling security features).\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious executable (\u003ccode\u003eevil.exe\u003c/code\u003e) in a directory along the unquoted service path, ensuring it is named to match a directory name within the path. For example, if the path is \u003ccode\u003eC:\\Program Files\\Sheed AntiVirus\\ShavProt.exe\u003c/code\u003e, they might create a directory named \u0026ldquo;Program\u0026rdquo; and place \u003ccode\u003eevil.exe\u003c/code\u003e in \u003ccode\u003eC:\\evil.exe\u003c/code\u003e. This will make the system attempt to execute \u003ccode\u003eC:\\evil.exe Files\\Sheed AntiVirus\\ShavProt.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a restart of the ShavProt service. This can be achieved using the \u003ccode\u003enet stop\u003c/code\u003e and \u003ccode\u003enet start\u003c/code\u003e commands, or through the Services management console (\u003ccode\u003eservices.msc\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker can induce a system reboot to trigger the service to start automatically.\u003c/li\u003e\n\u003cli\u003eAs the service starts, Windows attempts to execute the ShavProt service binary, but due to the unquoted path, it first executes the attacker\u0026rsquo;s malicious executable (\u003ccode\u003eevil.exe\u003c/code\u003e) with LocalSystem privileges.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as creating a new administrator account, modifying system files, or installing backdoors.\u003c/li\u003e\n\u003cli\u003eThe attacker now has persistent access to the system with LocalSystem privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to gain complete control over the affected system. This can lead to sensitive data theft, installation of malware, disruption of services, and potential compromise of the entire network if the attacker pivots to other systems. The vulnerability affects all installations of Sheed AntiVirus 2.3, potentially impacting a wide range of users if the antivirus is still deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or upgrades for Sheed AntiVirus. If no patch is available, consider uninstalling the software.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of binaries from unusual paths that coincide with unquoted service paths as a generic preventative measure using the \u0026ldquo;Detect Suspicious Process Creation in Unquoted Path\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor service creation events (if possible via endpoint detection) for services with unquoted paths.\u003c/li\u003e\n\u003cli\u003eBlock the download URL \u003ccode\u003ehttp://dl.sheedantivirus.ir/setup.exe\u003c/code\u003e at the network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T14:16:18Z","date_published":"2026-04-04T14:16:18Z","id":"/briefs/2026-04-sheed-antivirus-privesc/","summary":"Sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by placing a malicious executable in the unquoted path, leading to arbitrary code execution as LocalSystem.","title":"Sheed AntiVirus Unquoted Service Path Privilege Escalation (CVE-2016-20061)","url":"https://feed.craftedsignal.io/briefs/2026-04-sheed-antivirus-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2016-20061","version":"https://jsonfeed.org/version/1.1"}