CVE-2025-41359 is a vulnerability classified under CWE-428 (Unquoted Search Path or Element) affecting Small HTTP Server version 3.06.36. The issue arises because the service executable path 'C:\Program Files (x86)\shttps_mg\http.exe service' is not properly quoted. Windows interprets unquoted paths containing spaces by splitting them at the spaces and searching for executables in each resulting directory segment in order of precedence. This behavior allows a local attacker with limited privileges to place a malicious executable named 'http.exe' or similarly named in a directory higher in the search order (e.g., 'C:\Program Files (x86)\shttps_mg\http.exe' could be interpreted as 'C:\Program.exe' if unquoted). When the service starts, it may execute the attacker's malicious binary instead of the legitimate one, leading to arbitrary code execution. The vulnerability requires local access and low privileges but no user interaction or authentication beyond local presence. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity. No public exploits have been reported yet, but the risk remains significant due to the potential for privilege escalation and system compromise. The root cause is a common Windows service misconfiguration that can be mitigated by quoting the executable path in the service configuration and ensuring proper permissions on directories and executables.

If exploited, this vulnerability allows a local attacker to execute arbitrary code with the privileges of the Small HTTP service, potentially leading to unauthorized access, data theft, service disruption, or full system compromise. Since the service likely runs with elevated privileges, the attacker could escalate privileges from a low-privileged user to system-level control. This can undermine system integrity and availability, disrupt web services, and facilitate further lateral movement within an organization’s network. The vulnerability's exploitation does not require user interaction, increasing the risk in environments where local access is possible. Organizations relying on Small HTTP Server 3.06.36, especially in critical infrastructure or internet-facing roles, face significant operational and security risks if this flaw is not addressed promptly.

1. Immediately verify and update the service executable path to be properly quoted in the Windows service configuration to prevent path hijacking. 2. Restrict write permissions on all directories in the service executable path to prevent unauthorized file placement by low-privileged users. 3. Limit local user access to systems running Small HTTP Server to trusted personnel only, and enforce strict access controls. 4. Monitor and audit service startup logs and file system changes in the service directories for signs of suspicious activity. 5. Apply any vendor patches or updates addressing this vulnerability as soon as they become available. 6. Consider running the service with the least privileges necessary to reduce the impact of potential exploitation. 7. Employ application whitelisting or endpoint protection solutions that can detect and block unauthorized executables from running. 8. Regularly review and harden Windows service configurations to avoid similar unquoted path vulnerabilities.