PatchSiren cyber security CVE debrief
CVE-2018-25359 Splinterware CVE debrief
CVE-2018-25359 documents an insecure file permissions vulnerability in Splinterware System Scheduler Pro 5.12 that enables local privilege escalation. The vulnerability stems from overly permissive access controls on the service executable WService.exe within the installation directory. Low-privilege users can rename the legitimate service executable and substitute a malicious replacement; when the service subsequently triggers, the attacker-controlled binary executes with LocalSystem privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects high impact across confidentiality, integrity, and availability with local attack vector and low attack complexity. The weakness is classified as CWE-276 (Incorrect Default Permissions). The CVE was published on 2026-05-25 and modified on 2026-05-26; the NVD status is currently Deferred. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Splinterware
- Product
- Splinterware System Scheduler Pro
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Windows system administrators managing endpoints with Splinterware System Scheduler Pro deployed; security operations teams monitoring for privilege escalation techniques; incident responders investigating suspicious LocalSystem process execution; compliance auditors assessing privileged access management controls on legacy scheduling software installations.
Technical summary
The vulnerability exists because the WService.exe service executable resides in a directory with weak access control lists, permitting non-privileged users to modify or replace the file. When the Windows Service Control Manager launches the service, it executes the attacker-controlled binary in the LocalSystem security context, granting complete control over the host. This represents a classic unquoted service path or insecure service executable permission weakness rather than a code vulnerability per se.
Defensive priority
HIGH
Recommended defensive actions
- Audit file system permissions on Splinterware System Scheduler Pro installation directories, specifically WService.exe and parent folder ACLs
- Remove write access for low-privilege users (Users, Authenticated Users, Everyone) from service executable paths
- Implement application whitelisting or Windows Defender Application Control (WDAC) policies to prevent unauthorized binary execution in protected directories
- Monitor for file system events indicating renaming or replacement of WService.exe using Windows Event ID 4663 or EDR file integrity monitoring
- Review service configuration to ensure binary path references use protected locations with restricted write access
- Consider upgrading to a patched version if available from the vendor, or remove the software if unsupported
- Deploy endpoint detection rules targeting anomalous LocalSystem service execution from non-standard binary paths
Evidence notes
Primary evidence derives from NVD modified feed entries with references to VulnCheck advisory and Exploit-DB disclosure. Vendor attribution is based on reference domain candidate evidence with low confidence requiring review.
Official resources
The vulnerability was disclosed via VulnCheck and documented in Exploit-DB. The vendor Splinterware is referenced though no official vendor advisory has been identified in the source corpus.