small-http-server-unquoted-service-path-http-exe

Unquoted service path in Small HTTP Server, ‘C:\Program Files (x86)\shttps_mg\http.exe service’ lets local attacker run code — critical Windows information security risk

What happened

Forty three minutes ago a high severity flaw was published for Small HTTP Server 3.06.36 that centres on an unquoted service path, specifically the executable at ‘C:\Program Files (x86)\shttps_mg\http.exe service’.

Because the service path is not quoted, a local attacker with the ability to write to a higher priority directory can place a malicious executable with the same name so the service runs the wrong file. The advisory notes this can lead to arbitrary code execution, unauthorised access to the system or service disruption. Severity is reported as 8.5, HIGH.

Why this matters to businesses

If you run Small HTTP Server on Windows boxes, this is a direct operational risk to servers and workstations alike. Local compromise can become a corporate compromise, since an account with write access to program folders or removable media can be turned into code execution.

Consequences include downtime while you investigate, recovery costs, potential data access by attackers and regulatory questions if sensitive information is reachable. Given how often teams assume local access is low risk, this is the kind of thing that silently eats at resilience when suppliers, temp contractors or legacy images are involved.

If you’ve got the same weakness, here’s what happens next

First, an attacker drops a trojan in a location Windows will prefer when resolving the unquoted path, then the service starts that trojan with the service’s privileges. From there, escalation and lateral movement are straightforward if other controls are weak.

Over days you can quietly end up with persistence, stolen credentials, and services behaving badly. Recovery drags on because you’re cleaning infected hosts, reprovisioning images and reissuing secrets rather than just flipping a patch switch.

What to do on Monday morning

• Inventory: find every instance of Small HTTP Server 3.06.36 or the ‘shttps_mg’ install path using software inventory and endpoint queries.

• Quote the service path immediately where possible, and where you cannot, stop the service and restrict local write access to parent directories.

• Apply vendor updates or patches when available, and block execution from untrusted locations until patched.

• Harden local file permissions, remove write access for non-admin accounts and review removable media / network share permissions.

• Increase monitoring: enable process creation logging, watch for unexpected launches of http.exe and alert on service restarts from unusual directories.

• Confirm backup and restore readiness for affected systems so you can recover cleanly if you need to rebuild hosts.

• Review supplier and image build processes to ensure third-party binaries are installed with quoted paths and least privilege.

Where ISO standards fit, without the sales pitch

An ISO 27001 aligned management system makes this kind of thing less likely, because it forces you to know what software is on your estate and who can change it, see https://synergosconsultancy.co.uk/iso27001/ for a practical route to that discipline.

When service disruption and recovery matter, an ISO 22301 approach to business continuity helps you define recovery priorities and runbooks so a compromised HTTP service doesn’t become a week-long crisis, see https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/.

For basic baseline controls like inventory, patching and access management, frameworks such as IASME map neatly to the immediate fixes you need, and you can read about those practical controls at https://synergosconsultancy.co.uk/iasme-certifications/.

All of these are about repeatable processes, not heroics at 3am.

Acting now reduces blast radius: quote paths, lock down writes, monitor for unexpected http.exe launches and patch or replace the binary.