CVE-2016-8769
Description
Huawei UTPS versions before V200R003B015D16SPC00C983 contain an unquoted service path vulnerability allowing local attackers to execute arbitrary code with SYSTEM privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Huawei UTPS versions before V200R003B015D16SPC00C983 contain an unquoted service path vulnerability allowing local attackers to execute arbitrary code with SYSTEM privileges.
Vulnerability
Huawei Unified Terminal PC suite (UTPS), also known as Mobile Partner and bundled with Internet dongles, has an unquoted service path vulnerability in versions earlier than UTPS-V200R003B015D16SPC00C983 [1]. The service binary path contains spaces but is not enclosed in quotes, so Windows searches for the executable in multiple locations, enabling path truncation and the potential for a different executable to be loaded [1][2].
Exploitation
An attacker must have local access to the system and be able to place a malicious executable in a path that Windows will search before the intended service binary. For example, the service Photon. RunOuc has BINARY_PATH_NAME = C:\Program Files\Photon\Huawei\EC306-1\UpdateDog\ouc.exe (without quotes) [2]. By placing a rogue executable named Program.exe or Files\Photon\Huawei\EC306-1\UpdateDog\ouc.exe in the appropriate location, the attacker can cause the service to run their code instead [2]. No authentication beyond local user access is required, and the service runs automatically on boot [2].
Impact
If successful, the attacker's arbitrary code executes with SYSTEM privileges, granting full control over the host machine [1][2]. This leads to complete compromise of confidentiality, integrity, and availability of the affected system.
Mitigation
Huawei has released fixed version UTPS-V200R003B015D16SPC00C983 [1]. Users should upgrade to this version or later. No workaround is provided for unpatched installations. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Huawei Technologies Co., Ltd./Huawei UTPSv5Range: earlier than UTPS-V200R003B015D16SPC00C983
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The service binary path is not enclosed in quotation marks, causing Windows to truncate the path at spaces and search for executables in intermediate directories."
Attack vector
An attacker with local, non-privileged access places a malicious executable named, for example, `Program.exe` or `Files\Photon.exe` in a directory that Windows will search before reaching the intended `ouc.exe` [ref_id=1]. The unquoted service path `C:\Program Files\Photon\...` causes Windows to attempt to execute `C:\Program.exe` or `C:\Program Files\Photon.exe` first. When the service starts (automatically at boot or after a manual restart), the attacker's executable runs with SYSTEM privileges because the service runs as `LocalSystem` [ref_id=1].
Affected code
The vulnerable service binary paths are unquoted: `C:\Program Files\Photon\Huawei\EC306-1\UpdateDog\ouc.exe` (for the "Photon. RunOuc" service) and `C:\Program Files\airtel\UpdateDog\ouc.exe` (for the "airtel. Runouc" service) [ref_id=1]. Because the path contains spaces and is not enclosed in quotes, Windows will interpret each space-separated segment as a potential executable location.
What the fix does
The advisory states the vulnerability is fixed in version UTPS-V200R003B015D16SPC00C983 [ref_id=1]. No patch diff is provided in the bundle, but the standard remediation for an unquoted service path is to enclose the binary path in quotation marks (e.g., `"C:\Program Files\Photon\...\ouc.exe"`) so that Windows treats the entire string as a single path rather than splitting it on spaces. The fix prevents the truncation that allows an attacker's executable to be loaded in place of the intended service binary.
Preconditions
- authAttacker must have local, non-privileged access to the Windows system where Huawei UTPS is installed.
- configThe vulnerable service (Photon. RunOuc or airtel. Runouc) must be configured with an unquoted binary path containing spaces.
- inputAttacker must be able to write a malicious executable to a directory that Windows will search due to the unquoted path (e.g., C:\) or have another means to place a file in the search path.
Reproduction
1. Open a command prompt and run `sc qc "Photon. RunOuc"` or `sc qc "airtel. Runouc"` to confirm the unquoted binary path (e.g., `C:\Program Files\Photon\...\ouc.exe`) [ref_id=1]. 2. Place a malicious executable named `Program.exe` in `C:\` (or `Files\Photon.exe` in `C:\Program Files\`, depending on the path depth). 3. Restart the service or reboot the system. 4. The malicious executable executes with SYSTEM privileges [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.huawei.com/en/psirt/security-advisories/huawei-sa-20161116-01-utps-ennvdVendor Advisory
- www.security-geek.in/2017/02/07/0day-discovery-system-level-access-by-privilege-escalation-of-huawei-manufactured-airtel-photon-dongles/nvdThird Party AdvisoryURL Repurposed
- www.securityfocus.com/bid/94403nvdThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/40807/nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.