Splinterware System Scheduler Pro 5.12 Privilege Escalation
Description
Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Attackers can rename the WService.exe file in the installation directory and replace it with a malicious executable that executes with LocalSystem privileges when the service is triggered.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Splinterware System Scheduler Pro 5.12 has insecure default permissions allowing low-privilege users to replace the service executable and gain LocalSystem privileges.
Vulnerability
Splinterware System Scheduler Pro version 5.12 installs with insecure default file permissions on the installation directory C:\Program Files (x86)\SystemScheduler. The Everyone group is granted modify (M) permissions, as shown by icacls output [1]. This allows any local user to rename or replace the service executable WService.exe which runs as LocalSystem via the WindowsScheduler service [1]. The vulnerability affects version 5.12 and possibly earlier versions [3].
Exploitation
An attacker with low-privilege local access can rename WService.exe to a backup name and place a malicious executable with the same name in the directory. The service is configured to start automatically and is triggered periodically, so no user interaction is required beyond initial placement. The attacker does not need to restart the service manually; the service will execute the malicious file on its next check [1].
Impact
Successful exploitation results in arbitrary code execution with LocalSystem privileges, granting the attacker full control over the affected Windows system. This includes the ability to install programs, create accounts, and access all resources [1][3].
Mitigation
No official patch has been released as of the publication of the exploit [1] and advisory [3]. Users should restrict permissions on the installation directory to remove Everyone modify access, or uninstall the software if not needed. The vulnerability is tracked under CVE-2018-25359.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =5.12
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insecure file permissions grant the Everyone group modify access to the System Scheduler installation directory, allowing low-privilege users to replace the service binary."
Attack vector
A low-privilege user renames the legitimate `WService.exe` file in the installation directory and replaces it with a malicious executable. The Windows Scheduler service (`WindowsScheduler`) runs as `LocalSystem` and periodically checks the service, triggering execution of the replaced binary. This gives the attacker a shell with `nt authority\system` privileges [ref_id=1].
Affected code
The vulnerability affects the WService.exe file located in the System Scheduler installation directory (typically `C:\Program Files (x86)\SystemScheduler`). The Everyone group has modify permissions on this directory, as shown by the `icacls` output: `Everyone:(OI)(CI)(M)` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix. To remediate, administrators should restrict the file permissions on the System Scheduler installation directory so that the Everyone group no longer has modify access, preventing low-privilege users from renaming or replacing `WService.exe` [ref_id=1].
Preconditions
- configSystem Scheduler Pro 5.12 must be installed with the Windows Scheduler service running
- authAttacker must have a low-privilege user account on the victim machine
- inputAttacker must be able to write a malicious executable to the victim machine
Reproduction
1. Login as a regular user on a machine where Splinterware System Scheduler Pro 5.12 and the service are installed. 2. Create a malicious `wservice.exe` that connects back to the attacker's machine. 3. Download the malicious `.exe` to the victim machine and set up a listener on the attacking machine. 4. Rename the original `wservice.exe` to `wservice.bak` and copy the malicious file to the original location. 5. Wait a short amount of time; the service check triggers the malicious executable. 6. A connection back from the victim machine appears; run `whoami` to confirm `nt authority\system` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/45072mitreexploit
- www.vulncheck.com/advisories/splinterware-system-scheduler-pro-privilege-escalationmitrethird-party-advisory
- www.splinterware.commitreproduct
News mentions
0No linked articles in our index yet.