Insecure File/Folder Permissions
Even if service has quoted path, but users have write access to the path, they can supply their own exe. Once restarted payload.exe should run with privileges of the application.
F = Full Control CI = Container Inherit – This flag indicates that subordinate containers will inherit this ACE. OI = Object Inherit – This flag indicates that subordinate files will inherit the ACE. M = Modify