{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2016-20057", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-04T13:39:28.719Z", "datePublished": "2026-04-04T13:51:00.540Z", "dateUpdated": "2026-04-06T16:43:10.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-04T19:59:46.492Z"}, "datePublic": "2016-10-17T00:00:00.000Z", "title": "NETGATE Registry Cleaner build 16.0.205 Unquoted Service Path Privilege Escalation", "descriptions": [{"lang": "en", "value": "NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Unquoted Search Path or Element", "cweId": "CWE-428", "type": "CWE"}]}], "affected": [{"vendor": "Netgate", "product": "NETGATE Registry Cleaner", "versions": [{"version": "16.0.205", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/40539", "name": "ExploitDB-40539", "tags": ["exploit"]}, {"url": "http://www.netgate.sk/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://www.netgate.sk/download/download.php?id=4", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: NETGATE Registry Cleaner build 16.0.205 Unquoted Service Path Privilege Escalation", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/netgate-registry-cleaner-build-unquoted-service-path-privilege-escalation"}], "credits": [{"lang": "en", "value": "Amir.ght", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T16:42:55.347087Z", "id": "CVE-2016-20057", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:43:10.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2016-20057", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T16:42:55.347087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:43:04.768Z"}}], "cna": {"title": "NETGATE Registry Cleaner build 16.0.205 Unquoted Service Path Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Amir.ght"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Netgate", "product": "NETGATE Registry Cleaner", "versions": [{"status": "affected", "version": "16.0.205"}]}], "datePublic": "2016-10-17T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/40539", "name": "ExploitDB-40539", "tags": ["exploit"]}, {"url": "http://www.netgate.sk/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "http://www.netgate.sk/download/download.php?id=4", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/netgate-registry-cleaner-build-unquoted-service-path-privilege-escalation", "name": "VulnCheck Advisory: NETGATE Registry Cleaner build 16.0.205 Unquoted Service Path Privilege Escalation", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-428", "description": "Unquoted Search Path or Element"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-04T19:59:46.492Z"}}}, "cveMetadata": {"cveId": "CVE-2016-20057", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:43:10.464Z", "dateReserved": "2026-04-04T13:39:28.719Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-04T13:51:00.540Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netgate:registry_cleaner:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8AB4B0E-28DC-4151-83CE-E2941AF48D7E", "versionEndIncluding": "16.0.205", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges."}], "id": "CVE-2016-20057", "lastModified": "2026-04-20T14:25:56.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-04T14:16:18.223", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://www.netgate.sk/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://www.netgate.sk/download/download.php?id=4"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/40539"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/netgate-registry-cleaner-build-unquoted-service-path-privilege-escalation"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "16.0.205"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NETGATE Registry Cleaner", "source": "cna", "vendor": "Netgate"}, "product": "netgate_registry_cleaner", "vendor": "netgate"}], "analysis": {"en": {"generated_at": "2026-04-04T18:22:56.660937+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch or upgrade to a newer version that corrects the unquoted service path.", "If an upgrade is not immediately possible, place quotation marks around the NGRegClnSrv service executable path in the Windows registry or move the executable to a location without spaces.", "Remove any unexpected or malicious executables from the NGRegClnSrv service directory to prevent accidental execution.", "Disable automatic service restarts or scheduled reboots that could trigger the flaw, if feasible.", "Monitor Netgate's website and security advisories for additional patches or updates."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Netgate Registry Cleaner version 16.0.205. No other builds are listed as vulnerable, and earlier or later releases have no reported issues in the available data.", "description_and_impact": "NETGATE Registry Cleaner build 16.0.205 suffers from an unquoted service path flaw (CWE-428) in the NGRegClnSrv service. The vulnerability permits a local actor to place a malicious executable in the unquoted binary path and trigger a service restart or system reboot, causing the exploit to run with LocalSystem privileges. This grants the attacker full control over the affected Windows system, enabling arbitrary code execution, configuration changes, or further lateral movement.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.5, indicating high severity. No EPSS score is available, and it is not listed in CISA's KEV catalog. The attack vector is inferred to be local: an attacker must have the ability to write to the service directory and force a restart or reboot. While remote exploitation is not supported by the description, the apparent local requirement means that physical or logged-in user access can lead to a complete system compromise."}}}}, "created": "2026-04-06T20:27:19.958597+00:00", "updated": "2026-04-06T21:57:54.520957+00:00", "vendors": ["netgate", "netgate$PRODUCT$netgate_registry_cleaner"]}