CVE-2020-37231

Description

Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Attackers can place malicious executables in the unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Privacy Drive 3.17.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2020-37231
# This script demonstrates the vulnerability check logic.
# An attacker would place a malicious executable at the vulnerable path.

import os
import sys

def check_unquoted_service_path():
    # Simulating the vulnerable service path found in Privacy Drive 3.17.0
    # Example path: C:\Program Files\Cybertron\Privacy Drive\pdsvc.exe
    service_path = r"C:\Program Files\Cybertron\Privacy Drive\pdsvc.exe"
    
    print(f"[*] Checking service path: {service_path}")
    
    # Check if path contains spaces and is not quoted
    if " " in service_path and not (service_path.startswith('"') and service_path.endswith('"')):
        print("[+] Vulnerable: Unquoted service path detected!")
        
        # Identify potential drop locations for the exploit
        parts = service_path.split('\\')
        current_path = ""
        
        print("[*] Potential exploitation points:")
        for i in range(len(parts) - 1):
            current_path += parts[i] + "\\"
            # Remove trailing slash for filename construction
            exe_path = current_path.rstrip('\\') + ".exe"
            print(f"    - {exe_path}")
            
        # In a real attack, an attacker would copy a malicious payload
        # to one of these locations (e.g., C:\Program.exe)
        # and wait for the service to restart or the system to reboot.
    else:
        print("[-] Service path appears safe.")

if __name__ == "__main__":
    check_unquoted_service_path()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37231
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37231
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37231/
[4] VulDB https://vuldb.com/cve/CVE-2020-37231
[5] https://www.cybertronsoft.com/
[6] https://www.cybertronsoft.com/download/privacy-drive-setup.exe
[7] https://www.exploit-db.com/exploits/49023
[8] https://www.vulncheck.com/advisories/privacy-drive-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37231", "sourceIdentifier": "[email protected]", "published": "2026-05-16T16:16:19.050", "lastModified": "2026-05-18T20:16:36.607", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Attackers can place malicious executables in the unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.cybertronsoft.com/", "source": "[email protected]"}, {"url": "https://www.cybertronsoft.com/download/privacy-drive-setup.exe", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49023", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/privacy-drive-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}