What is CVE-2025-41368?

CVE-2025-41368 is a high severity vulnerability classified under CWE-428 (CWE-428). CVE-2025-41368: Small HTTP Server Unquoted Service Path Vulnerability

How do I fix CVE-2025-41368?

Apply the vendor patch immediately. Additionally, implement defenses against CWE-428 by following secure coding practices. Use Precogs AI to scan your codebase for similar vulnerabilities.

CVE-2025-41368

CVE-2025-41368: Small HTTP Server Unquoted Service Path Vulnerability

Verified by Precogs Threat Research

Last Updated: Mar 26, 2026

Base Score

HIGH

Executive Summary

CVE-2025-41368 is a high severity vulnerability affecting software systems. It is classified as CWE-428. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.

Precogs AI Insight

"Precogs AI detected this vulnerability pattern in CWE-428 implementations. The pattern deviates from documented secure coding standards, suggesting a high likelihood of exploitation if unpatched."

Exploit Probability

Elevated (52%)

Public POC

Undisclosed

Exploit Probability

Elevated (52%)

Public POC

Available

Affected Assets

CWE-428

CVE-2025-41368: Small HTTP Server Unquoted Service Path

An unquoted service path vulnerability has been discovered in Small HTTP Server 3.06.36, specifically affecting the executable located at C:\Program Files (x86)\shttps_mg\http.exe service. This misconfiguration allows a local attacker to escalate privileges or execute arbitrary code.

When a Windows service is created whose executable path contains spaces and is not enclosed within quotes, Windows attempts to locate and execute the program by evaluating each space-separated segment as a separate executable.

Technical Details

The vulnerability stems from the way the Windows Service Control Manager (SCM) parses unquoted paths. The vulnerable service is registered with the path:

C:\Program Files (x86)\shttps_mg\http.exe service

Because the path is unquoted, the Windows OS evaluates the execution sequence in the following order:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\shttps_mg\http.exe

If an authenticated local user has write permissions to the C:\ root directory, they can place a malicious executable named Program.exe. When the Small HTTP Server service starts (often running as NT AUTHORITY\SYSTEM), the SCM will execute the malicious Program.exe payload instead of the legitimate http.exe.

Impact

The exploitation of this vulnerability leads to Local Privilege Escalation (LPE). An attacker with standard user privileges can execute arbitrary code with SYSTEM level privileges, resulting in a full system compromise.

Confidentiality: Complete loss (attacker gains full file system access).
Integrity: Complete loss (attacker can modify or delete any file).
Availability: Complete loss (attacker can disrupt all system operations).

Remediation

# Configure the service with explicitly quoted paths
# Open Command Prompt as Administrator and reconfigure the service:

sc config "shttps_mg" binpath= "\"C:\Program Files (x86)\shttps_mg\http.exe\" service"

Precogs Mitigation Strategy

The most direct fix is to modify the service configuration within the Windows registry or via the Service Control Manager to wrap the executable path in explicit quotation marks.

Administrators should also ensure that the file system permissions on the root drive (C:\) restrict standard users from writing files to the root directory, which is a defense-in-depth measure against all unquoted service path vulnerabilities.

FAQ

What is an Unquoted Service Path vulnerability? An Unquoted Service Path vulnerability (CWE-428) occurs when a Windows service executable path containing spaces is not wrapped in quotation marks. This allows a local attacker to place a malicious executable in a location that Windows evaluates before the intended binary, leading to privilege escalation when the service starts as SYSTEM.

Related Vulnerabilitiesvia CWE-428

View all CWE-428 vulnerabilities →