CVE-2018-25359 Overview
CVE-2018-25359 affects Splinterware System Scheduler Pro 5.12. The product installs its service executable, WService.exe, with insecure file permissions that grant write access to non-privileged users. A local attacker can rename or replace WService.exe with a malicious binary. When the Windows service starts, the replacement runs under the LocalSystem account. This results in full local privilege escalation from a standard user to SYSTEM. The vulnerability is classified under CWE-276: Incorrect Default Permissions.
Critical Impact
A low-privileged local user can execute arbitrary code as LocalSystem, gaining full control of the affected Windows host.
Affected Products
- Splinterware System Scheduler Pro 5.12
- Installations using default directory permissions on WService.exe
- Windows hosts where the System Scheduler service runs as LocalSystem
Discovery Timeline
- 2026-05-25 - CVE-2018-25359 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2018-25359
Vulnerability Analysis
Splinterware System Scheduler Pro 5.12 installs to a directory whose access control list (ACL) grants modify or write permissions to the Users or Authenticated Users group. The service binary WService.exe inherits these weak permissions. The service is registered to start as LocalSystem, the highest-privileged local account on Windows. Because Windows resolves the service image path at start time, any executable placed at that path will run with the service's configured privileges. The combination of writable binary and high-privileged service account converts a standard user account into a full local administrator path.
Root Cause
The root cause is incorrect default permissions on the installation directory and service executable. The installer does not restrict write access to privileged principals such as SYSTEM and Administrators. Standard Windows guidance requires service binaries to live in protected locations such as %ProgramFiles% with ACLs that deny write access to non-administrators.
Attack Vector
Exploitation requires local access with any interactive user account. The attacker renames WService.exe in the installation directory, drops a malicious binary using the same filename, and triggers a service restart by rebooting the host or waiting for the scheduled service cycle. Windows then executes the attacker's binary as LocalSystem. A working proof of concept is published at Exploit-DB #45072. Additional analysis is available in the VulnCheck advisory.
No verified code examples are available for inclusion. Refer to the linked Exploit-DB entry for the public proof of concept.
Detection Methods for CVE-2018-25359
Indicators of Compromise
- Presence of WService.exe.bak, WService.old, or similarly renamed copies in the System Scheduler installation directory.
- Unexpected modification timestamps on WService.exe that do not match the installer's original file metadata.
- Child processes of WService.exe running as NT AUTHORITY\SYSTEM that spawn cmd.exe, powershell.exe, or other interactive tools.
- Service start events (Event ID 7036) for System Scheduler immediately following file writes by a non-administrative user.
Detection Strategies
- Audit ACLs on the System Scheduler installation directory and flag any entry granting write or modify rights to non-administrative groups.
- Monitor file integrity on WService.exe and alert when the hash changes outside of an authorized patch window.
- Correlate file write events authored by standard users against subsequent service start events for the same binary.
Monitoring Recommendations
- Enable Windows Security auditing for object access on the System Scheduler directory and forward events to a central log platform.
- Track Sysmon Event ID 11 (FileCreate) and Event ID 1 (ProcessCreate) for the System Scheduler binary path.
- Review service configuration drift on a recurring schedule to detect changes to ImagePath or service account assignments.
How to Mitigate CVE-2018-25359
Immediate Actions Required
- Inventory all hosts running Splinterware System Scheduler Pro 5.12 and confirm the ACLs on the installation directory.
- Restrict write and modify permissions on the installation directory to SYSTEM and Administrators only.
- Remove the product from systems where it is not required, particularly multi-user workstations and terminal servers.
- Reconfigure the service to run under a least-privileged account where business requirements allow.
Patch Information
No vendor patch is referenced in the available advisory data. Consult the Splinterware homepage for current product versions and any updated installers that may correct the directory permissions. Until a fixed version is confirmed, apply the permission hardening described in the workarounds.
Workarounds
- Manually apply restrictive ACLs to the installation directory using icacls to remove inherited write permissions for Users and Authenticated Users.
- Relocate WService.exe into a protected directory under %ProgramFiles% and update the service ImagePath accordingly.
- Apply Windows AppLocker or Windows Defender Application Control policies to block execution of unsigned binaries from the System Scheduler directory.
# Configuration example: harden ACLs on the installation directory
icacls "C:\Program Files\System Scheduler" /inheritance:r
icacls "C:\Program Files\System Scheduler" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
icacls "C:\Program Files\System Scheduler\WService.exe" /grant:r "SYSTEM:F" "Administrators:F" "Users:RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
