{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/iperiusremote/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Iperius Remote 1.7.0"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","vulnerability","unquoted-service-path"],"_cs_type":"advisory","_cs_vendors":["Iperiusremote"],"content_html":"\u003cp\u003eCVE-2016-20089 describes an unquoted service path vulnerability impacting Iperius Remote version 1.7.0. This flaw allows a local attacker to escalate privileges to SYSTEM. The vulnerability arises when the Iperius Remote service is installed in a directory path containing spaces (e.g., \u003ccode\u003eC:\\Program Files\\Iperius Remote\\\u003c/code\u003e), but the service executable path is not enclosed in quotation marks in the Windows registry. An attacker can exploit this by placing a specially named malicious executable (e.g., \u003ccode\u003eProgram.exe\u003c/code\u003e) in an earlier part of the path (e.g., \u003ccode\u003eC:\\\u003c/code\u003e). When the vulnerable service attempts to start, the operating system will incorrectly interpret the path and execute the attacker's malicious payload with SYSTEM privileges, granting full control over the compromised system. This vulnerability has a CVSS v3.1 Base Score of 7.8, indicating high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: An attacker with local user privileges identifies an Iperius Remote 1.7.0 service installed on a Windows system with an unquoted service path, typically in a directory containing spaces (e.g., \u003ccode\u003eC:\\Program Files\\Iperius Remote\\IperiusRemoteService.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Placement\u003c/strong\u003e: The attacker places a malicious executable, for example, named \u003ccode\u003eProgram.exe\u003c/code\u003e, into the root directory of the drive (e.g., \u003ccode\u003eC:\\Program.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment\u003c/strong\u003e: The malicious executable is designed to perform its intended actions, such as creating a backdoor or enabling remote access, to maintain control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTriggering Execution\u003c/strong\u003e: The attacker either waits for the next scheduled service restart or system reboot, or manually triggers a service restart (if permitted by current privileges).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Interpretation\u003c/strong\u003e: When the Iperius Remote service attempts to start, the Windows Service Control Manager, due to the unquoted path, first attempts to execute \u003ccode\u003eC:\\Program.exe\u003c/code\u003e instead of the legitimate \u003ccode\u003eC:\\Program Files\\Iperius Remote\\IperiusRemoteService.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker's \u003ccode\u003eC:\\Program.exe\u003c/code\u003e is executed with the high privileges of the Iperius Remote service, which typically runs as the \u003ccode\u003eSYSTEM\u003c/code\u003e user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: The malicious \u003ccode\u003eProgram.exe\u003c/code\u003e payload executes with SYSTEM privileges, granting the attacker full control over the system, enabling further actions like data exfiltration, deploying additional malware, or creating new privileged user accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2016-20089 leads to local privilege escalation from a standard user account to SYSTEM privileges. This grants the attacker complete control over the compromised Windows system, bypassing security controls, installing rootkits, creating new administrative users, or disabling critical security software. While no specific victim count or targeted sectors are detailed, any organization utilizing Iperius Remote 1.7.0 on Windows systems is susceptible, facing severe consequences including data breach, system compromise, and further network infiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2016-20089\u003c/strong\u003e: Update Iperius Remote to a version higher than 1.7.0 that addresses the unquoted service path vulnerability immediately.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Quoted Paths\u003c/strong\u003e: Ensure all Windows services are installed with their executable paths enclosed in quotation marks in the registry, especially for services located in directories containing spaces.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rule for Execution\u003c/strong\u003e: Deploy the \u0026quot;Detect CVE-2016-20089 Exploitation - Unquoted Service Path Execution\u0026quot; Sigma rule to your SIEM to alert on suspicious process executions from common unquoted service path prefixes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rule for File Creation\u003c/strong\u003e: Deploy the \u0026quot;Detect Suspicious Executable Creation in Unquoted Service Path Locations\u0026quot; Sigma rule to your SIEM to identify attacker attempts to stage malicious executables.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Process Creation Logging\u003c/strong\u003e: Ensure \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., via Sysmon) is enabled on all Windows endpoints to support the detection rules provided.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable File Event Logging\u003c/strong\u003e: Ensure \u003ccode\u003efile_event\u003c/code\u003e logging (e.g., via Sysmon) is enabled on all Windows endpoints to support detection of suspicious file creations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T15:55:21Z","date_published":"2026-06-19T15:55:21Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2016-20089-iperius-remote/","summary":"An unquoted service path vulnerability, CVE-2016-20089, in Iperius Remote version 1.7.0 allows a local attacker to execute arbitrary code with SYSTEM privileges by placing a malicious executable in a specific directory when the legitimate service path contains spaces, enabling privilege escalation upon service restart or system reboot.","title":"CVE-2016-20089: Iperius Remote Unquoted Service Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2016-20089-iperius-remote/"}],"language":"en","title":"CraftedSignal Threat Feed - Iperiusremote","version":"https://jsonfeed.org/version/1.1"}