CVE-2025-41368 is a vulnerability identified in Small HTTP Server version 3.06.36, specifically related to an unquoted service path in the Windows service configuration for the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. The issue arises because the service path is not enclosed in quotation marks, which causes Windows to interpret the path incorrectly when searching for the executable to run. This misinterpretation allows a local attacker to place a malicious executable with the same name as the service executable in a directory that is searched earlier in the system's PATH environment variable or in a directory higher in the hierarchy, such as 'C:\Program Files (x86)\shttps_mg\http.exe' being interpreted as 'C:\Program.exe' if unquoted. When the service starts, it may execute the attacker's malicious executable instead of the legitimate one. This vulnerability is classified under CWE-428 (Unquoted Search Path or Element) and can lead to arbitrary code execution with the privileges of the service, unauthorized access, or denial of service. The CVSS 4.0 score is 8.5 (high severity), reflecting the ease of exploitation by a local attacker with low privileges and the high impact on confidentiality, integrity, and availability. No user interaction or elevated privileges beyond local access are required, and no known exploits have been reported in the wild as of now. The vulnerability highlights the importance of secure service path configuration and proper quoting in Windows environments to prevent path hijacking attacks.

The vulnerability allows a local attacker with limited privileges to escalate their capabilities by executing arbitrary code within the context of the Small HTTP Server service. This can lead to unauthorized access to sensitive data, modification or deletion of files, installation of persistent malware, or disruption of the HTTP service, impacting availability. Organizations running Small HTTP Server 3.06.36 on Windows systems are at risk, especially if local access controls are weak or if the service runs with elevated privileges. The attack does not require user interaction, increasing the risk in environments where multiple users have local access. The potential for privilege escalation and system compromise makes this vulnerability particularly dangerous in shared or multi-user systems, development environments, or servers exposed to multiple users. The absence of known exploits in the wild provides a window for remediation, but the high CVSS score indicates that exploitation could have severe consequences for confidentiality, integrity, and availability.

1. Immediately audit all Windows services for unquoted service paths, especially those running Small HTTP Server or similar software. 2. Correct the service path by enclosing it in double quotes to ensure Windows correctly interprets the executable location, e.g., "C:\Program Files (x86)\shttps_mg\http.exe" service. 3. Restrict local user permissions to prevent unauthorized users from writing to directories that are part of the service path or system PATH environment variable. 4. Limit physical and network access to systems running the vulnerable service to trusted personnel only. 5. Monitor and log service start events and unexpected executable launches to detect potential exploitation attempts. 6. Apply vendor patches or updates as soon as they become available. 7. Employ application whitelisting to prevent unauthorized executables from running. 8. Educate system administrators about the risks of unquoted service paths and enforce secure configuration baselines. 9. Consider running the service with the least privileges necessary to reduce impact if exploited. 10. Use endpoint detection and response (EDR) tools to detect suspicious local activity related to service execution.