{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/matrix42/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2016-20095"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Matrix42 Remote Control Host 3.20.0031"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","unquoted-service-path","windows","matrix42"],"_cs_type":"advisory","_cs_vendors":["Matrix42"],"content_html":"\u003cp\u003eCVE-2016-20095 describes an unquoted service path vulnerability impacting Matrix42 Remote Control Host version 3.20.0031. Specifically, the \u003ccode\u003eFastViewerRemoteService\u003c/code\u003e and \u003ccode\u003eFastViewerRemoteProxy\u003c/code\u003e services are susceptible. This flaw allows a local attacker, who already has basic user access to a vulnerable system, to escalate their privileges to SYSTEM. The vulnerability arises because the service executable's path is not enclosed in quotation marks during registration, enabling the Windows Service Control Manager to misinterpret spaces in the path. By strategically placing a malicious executable with a crafted name (e.g., \u003ccode\u003eProgram.exe\u003c/code\u003e) within the \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e directory, an attacker can trick the operating system into executing their arbitrary code with elevated permissions during service startup, gaining full control over the compromised host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local user access to a system running Matrix42 Remote Control Host.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the \u003ccode\u003eFastViewerRemoteService\u003c/code\u003e or \u003ccode\u003eFastViewerRemoteProxy\u003c/code\u003e services are configured with an unquoted service path, such as \u003ccode\u003eC:\\Program Files\\Matrix42\\Remote Control Host\\FastViewerRemoteService.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable, for instance, \u003ccode\u003eProgram.exe\u003c/code\u003e, designed to perform unauthorized actions (e.g., create a new user, install a backdoor, deploy additional malware).\u003c/li\u003e\n\u003cli\u003eThe attacker places this \u003ccode\u003eProgram.exe\u003c/code\u003e file into the \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e directory, which is often writable by standard users, especially within certain subdirectories or older Windows versions.\u003c/li\u003e\n\u003cli\u003eThe attacker waits for a system reboot, forces a service restart (if permissions allow), or waits for an administrative action that triggers a restart of the vulnerable service.\u003c/li\u003e\n\u003cli\u003eDuring service startup, the Windows Service Control Manager attempts to locate and execute the service binary. Due to the unquoted path, it first interprets \u003ccode\u003eC:\\Program.exe\u003c/code\u003e as the intended executable.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eC:\\Program.exe\u003c/code\u003e is executed instead of the legitimate service binary, inheriting SYSTEM privileges due to the service's configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves SYSTEM-level privilege escalation, enabling full control over the compromised host for further malicious activities, such as data exfiltration, lateral movement, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2016-20095 grants a local attacker SYSTEM-level privileges on the compromised system. This is a critical escalation that allows complete control over the operating system, including the ability to install rootkits, disable security software, exfiltrate sensitive data, or establish persistent access. While specific victim counts are not available, any organization utilizing vulnerable versions of Matrix42 Remote Control Host is at risk of complete system compromise if a local attacker gains a foothold. The vulnerability's age indicates that unpatched systems could still be prevalent, posing a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment to detect \u003ccode\u003eC:\\Program.exe\u003c/code\u003e process creation and file creation in \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events (\u003ccode\u003eprocess_creation\u003c/code\u003e log source) where \u003ccode\u003eProgram.exe\u003c/code\u003e is executed from the \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e directory with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events (\u003ccode\u003efile_event\u003c/code\u003e log source) of \u003ccode\u003eProgram.exe\u003c/code\u003e within the \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003ePatch Matrix42 Remote Control Host to a version greater than 3.20.0031 as advised by the vendor on \u003ccode\u003ehttps://www.matrix42.com/\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T15:56:28Z","date_published":"2026-06-19T15:56:28Z","id":"https://feed.craftedsignal.io/briefs/2026-06-matrix42-unquoted-path/","summary":"A local attacker can exploit CVE-2016-20095, an unquoted service path vulnerability in Matrix42 Remote Control Host version 3.20.0031, to achieve arbitrary code execution with SYSTEM privileges by placing a malicious executable named 'Program.exe' in the 'C:\\Program Files\\' directory, leading to privilege escalation when the vulnerable service starts.","title":"CVE-2016-20095: Matrix42 Remote Control Host Unquoted Service Path Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-06-matrix42-unquoted-path/"}],"language":"en","title":"CraftedSignal Threat Feed - Matrix42","version":"https://jsonfeed.org/version/1.1"}