CVE-2017-20218

high

Description

Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5405.php

https://www.vulncheck.com/advisories/serviio-pro-local-privilege-escalation-via-unquoted-path

https://www.exploit-db.com/exploits/41959/

https://packetstormsecurity.com/files/142384

https://exchange.xforce.ibmcloud.com/vulnerabilities/125644

https://cxsecurity.com/issue/WLB-2017050019

https://blogs.securiteam.com/index.php/archives/3094

Details

Source: Mitre, NVD

Published: 2026-03-16

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.5

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00013