Primary

Context

Wibu-Systems CodeMeter Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

An unquoted service path vulnerability has been identified in Wibu-Systems CodeMeter version 6.60. This vulnerability allows local users to execute arbitrary code with elevated privileges. The issue arises from the unquoted binary path of the CodeMeter Runtime Server service, which can be exploited to inject malicious code that executes with LocalSystem rights.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code with elevated system privileges.

Reproduction

The vulnerability can be reproduced by creating a service with an unquoted path that includes spaces. This can be done using the Windows Service Control Manager (SC) command. Once the service is created, a local user can exploit the unquoted service path to execute malicious code with elevated privileges.

Added: Jan 29, 2026, 3:28 PM

Updated: Jan 29, 2026, 4:48 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.4

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.4

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wibu-Systems CodeMeter Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Affected Products

Wibu-Systems CodeMeter

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating