CVE-2025-41359 Overview
CVE-2025-41359 is an unquoted service path vulnerability affecting Small HTTP Server version 3.06.36. The vulnerability exists in the service executable path located at C:\Program Files (x86)\shttps_mg\http.exe service. Due to the path containing spaces and lacking proper quotation marks, Windows may incorrectly parse the path and execute a malicious binary placed in a higher priority directory by a local attacker.
This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption.
Critical Impact
Local privilege escalation through arbitrary code execution when the vulnerable service starts or restarts.
Affected Products
- Small HTTP Server 3.06.36
- smallsrv small_http_server (all versions matching cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*)
Discovery Timeline
- 2026-03-26 - CVE-2025-41359 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2025-41359
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with a path containing spaces that is not enclosed in quotation marks, the operating system attempts to locate the executable by parsing the path at each space character.
For the path C:\Program Files (x86)\shttps_mg\http.exe service, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\shttps_mg\http.exe
If an attacker can place a malicious executable at C:\Program.exe or C:\Program Files.exe, Windows will execute the attacker's binary with the privileges of the service account before reaching the legitimate executable.
Root Cause
The root cause is improper configuration of the Windows service registration. The service path was registered without enclosing the full path in double quotes. This is a common oversight in software installers that fail to properly escape or quote paths containing spaces when registering Windows services.
Attack Vector
This vulnerability requires local access to exploit. An attacker must have sufficient privileges to write a malicious executable to one of the directories that Windows will check before the legitimate service path. The attack is typically executed when:
- The attacker identifies the unquoted service path
- The attacker places a malicious executable (e.g., Program.exe) in the root of the C: drive
- The service is restarted (either manually, through system reboot, or by triggering a service failure)
- Windows executes the attacker's binary with the service account privileges
The exploitation does not require any user interaction once the malicious binary is in place, as the code executes automatically when the service starts.
Detection Methods for CVE-2025-41359
Indicators of Compromise
- Unexpected executables named Program.exe or Files.exe in system root directories such as C:\ or C:\Program Files\
- Unusual process execution patterns where Program.exe spawns from service contexts
- Modified timestamps on directories in potential hijack paths
- Service failures followed by unexpected system behavior
Detection Strategies
- Run the Windows command wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ to identify unquoted service paths
- Monitor file creation events in C:\ and C:\Program Files\ directories for suspicious executables
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use SentinelOne's behavioral AI to detect privilege escalation attempts through service abuse
Monitoring Recommendations
- Enable Windows Event logging for service start/stop events (Event ID 7035, 7036)
- Monitor for file creation events in directories commonly targeted by unquoted service path attacks
- Deploy endpoint detection and response (EDR) solutions capable of identifying service hijacking attempts
- Regularly audit Windows services for unquoted paths using automated scanning tools
How to Mitigate CVE-2025-41359
Immediate Actions Required
- Audit all installed Windows services for unquoted paths containing spaces
- Manually correct the service path by enclosing it in double quotes in the Windows Registry
- Remove any suspicious executables found in C:\ or C:\Program Files\ directories
- Restrict write permissions to system directories to prevent placement of malicious binaries
- Contact the vendor for an updated installer that properly quotes the service path
Patch Information
No vendor patch was available at the time of publication. Organizations should refer to the INCIBE CERT Security Notice for the latest updates and remediation guidance from the security advisory.
To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches while restricting physical and network access.
Workarounds
- Manually edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName]\ImagePath to enclose the path in double quotes
- Restrict write access to C:\ and C:\Program Files\ directories using NTFS permissions
- Implement application control policies to block execution of unauthorized binaries
- Consider disabling the vulnerable service if not required until a proper fix is available
# Registry fix command (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\shttps_mg" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\shttps_mg\http.exe\" service" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
