CVE-2019-25286

HIGH

GCaf 3.0 - Unquoted Service Path in gbClientService

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25286. PoCs published by 4ll4u.

AI-analyzed exploit summary This is a writeup describing an unquoted service path vulnerability in _GCafé 3.0's 'gbClientService'. The vulnerability allows for potential privilege escalation if an executable is placed in a path with spaces and no quotes.

Description

GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions.

Exploits (1)

exploitdb WRITEUP
by 4ll4u · textlocalwindows
https://www.exploit-db.com/exploits/47604

This is a writeup describing an unquoted service path vulnerability in _GCafé 3.0's 'gbClientService'. The vulnerability allows for potential privilege escalation if an executable is placed in a path with spaces and no quotes.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Theoretical
Target: _GCafé 3.0
Auth required
Prerequisites: Local access to the system · Ability to write to a directory in the unquoted path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47604
Various Sources product
https://gcafe.vn/

Scores

CVSS v3 7.8
EPSS 0.0015
EPSS Percentile 4.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-428
Status published
Products (1)
Gcafe/_GCafé 3.0
Published Feb 05, 2026
Tracked Since Feb 18, 2026