📄 Description (English)
sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges.
🤖 AI Executive Summary
CVE-2016-20061 is a local privilege escalation vulnerability in Sheed AntiVirus 2.3 affecting the ShavProt service through an unquoted service path. Attackers with local access can place malicious executables in the service path to gain LocalSystem privileges upon service restart or system reboot. With no patch available and moderate exploit complexity, this poses a significant risk to organizations using this antivirus solution.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 22:51
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using Sheed AntiVirus 2.3, particularly in government agencies, financial institutions, and corporate environments where this antivirus solution is deployed. The risk is elevated in sectors with multi-user systems or shared workstations (banking/SAMA, government/NCA, healthcare facilities, and enterprise IT environments). Organizations relying on this antivirus for endpoint protection face potential complete system compromise through privilege escalation.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Enterprise IT
🎯 MITRE ATT&CK Techniques
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1036.003 - Masquerading: Rename System Utilities
T1611 - Escape to Host
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems running Sheed AntiVirus 2.3 and document deployment scope
2. Restrict local access to systems running the vulnerable antivirus through access controls and user privilege management
3. Monitor for suspicious file creation in service paths (typically C:\Program Files\Sheed or similar)
4. Implement application whitelisting to prevent unauthorized executable execution
Compensating Controls (No Patch Available):
1. Disable or remove Sheed AntiVirus 2.3 and migrate to alternative, actively maintained antivirus solutions
2. Apply principle of least privilege - ensure users operate with standard user accounts, not administrator
3. Implement file integrity monitoring on service directories
4. Enable Windows Service hardening and restrict service restart permissions
5. Deploy Host-based Intrusion Detection System (HIDS) to monitor suspicious process execution
Detection Rules:
1. Monitor for file creation in unquoted service paths with executable extensions (.exe, .dll, .sys)
2. Alert on ShavProt service restart or unexpected service state changes
3. Track process execution with LocalSystem privileges originating from service paths
4. Monitor registry changes to service configuration (HKLM\SYSTEM\CurrentControlSet\Services\ShavProt)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع الأنظمة التي تعمل بـ Sheed AntiVirus 2.3 وتوثيق نطاق النشر
2. تقييد الوصول المحلي للأنظمة التي تعمل بمكافحة الفيروسات الضعيفة من خلال عناصر التحكم في الوصول وإدارة امتيازات المستخدم
3. مراقبة إنشاء الملفات المريبة في مسارات الخدمة
4. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ الملفات التنفيذية غير المصرح بها
عناصر التحكم التعويضية (لا يوجد تصحيح متاح):
1. تعطيل أو إزالة Sheed AntiVirus 2.3 والهجرة إلى حلول مكافحة فيروسات بديلة يتم صيانتها بنشاط
2. تطبيق مبدأ أقل امتياز - تأكد من أن المستخدمين يعملون بحسابات مستخدم قياسية وليس مسؤول
3. تنفيذ مراقبة سلامة الملفات على دلائل الخدمة
4. تفعيل تقسية خدمة Windows وتقييد أذونات إعادة تشغيل الخدمة
5. نشر نظام كشف الاختراق المستند إلى المضيف (HIDS) لمراقبة تنفيذ العملية المريبة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Internal organization of information security
A.8.1.1 - User endpoint devices and clear desk/screen policy
A.8.2.1 - User access management
A.8.3.1 - User responsibilities
A.12.2.1 - Restrictions on software installation
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software inventory and asset management
PR.AC-1 - Access control policy and procedures
PR.AC-4 - Access rights and privileges management
PR.PT-1 - Audit logging and monitoring
DE.CM-1 - System monitoring and anomaly detection
RS.MI-1 - Incident response and containment
🟡 ISO 27001:2022
A.5.1 - Policies for information security
A.6.1 - Organization of information security
A.8.1 - User endpoint devices
A.8.2 - User access management
A.12.2 - Restrictions on software installation
A.12.6 - Management of technical vulnerabilities
A.14.2 - Security requirements analysis and specification
🔗 References & Sources 4
🔗
🔗
🔗
🔗
http://dl.sheedantivirus.ir/setup.exe
disclosure@vulncheck.com
http://sheedantivirus.ir/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/40497
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sheed-antivirus-unquoted-service-path-privilege-es...
disclosure@vulncheck.com