CVE-2016-20033 | THREATINT

Description

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Authorization Bypass Through User-Controlled Key

Product status

4.5.0

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/40132 (ExploitDB-40132) exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php (Vulnerability Advisory) vendor-advisory

www.vulncheck.com/...l-privilege-escalation-via-nssm-x64-exe (VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe) third-party-advisory

cve.org (CVE-2016-20033)

nvd.nist.gov (CVE-2016-20033)

Download JSON