CVE-2020-37232

Description

Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Attackers can place malicious executables in the system root path that will be executed with LocalSystem privileges during service startup or system reboot.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Advanced System Care Service 13.0.0.157

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2020-37232
# This script demonstrates how to identify the unquoted service path vulnerability.

import os
import subprocess

def check_unquoted_service_path():
    service_name = "AdvancedSystemCareService13"
    
    print(f"[*] Checking service: {service_name}")
    
    try:
        # Query service configuration using sc.exe
        result = subprocess.check_output(f"sc qc {service_name}", shell=True, text=True)
        print("\n--- Service Configuration ---")
        print(result)
        print("--------------------------")
        
        # Check for BINARY_PATH_NAME
        if "BINARY_PATH_NAME" in result:
            path_line = [line for line in result.split('\n') if "BINARY_PATH_NAME" in line]
            if path_line:
                path = path_line[0].split(":")[1].strip()
                print(f"[+] Binary Path: {path}")
                
                # Check if path contains spaces and is not quoted
                if " " in path and not path.startswith('"'):
                    print("[!] VULNERABILITY DETECTED: Path contains spaces and is unquoted.")
                    print("[!] Exploitation: Create a malicious file named 'Program.exe' in C:\ to gain SYSTEM privileges.")
                else:
                    print("[-] Path is quoted or does not contain spaces. Not vulnerable via this vector.")
    except subprocess.CalledProcessError:
        print(f"[-] Could not query service {service_name}. It may not be installed.")

if __name__ == "__main__":
    check_unquoted_service_path()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37232/
[4] VulDB https://vuldb.com/cve/CVE-2020-37232
[5] https://www.exploit-db.com/exploits/49049
[6] https://www.iobit.com
[7] https://www.iobit.com/es/advancedsystemcarepro.php
[8] https://www.vulncheck.com/advisories/advanced-system-care-service-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37232", "sourceIdentifier": "[email protected]", "published": "2026-05-16T16:16:19.180", "lastModified": "2026-05-18T17:32:04.823", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Attackers can place malicious executables in the system root path that will be executed with LocalSystem privileges during service startup or system reboot."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49049", "source": "[email protected]"}, {"url": "https://www.iobit.com", "source": "[email protected]"}, {"url": "https://www.iobit.com/es/advancedsystemcarepro.php", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/advanced-system-care-service-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}