CVE-2020-36928
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-02-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brother | bragent | 1.38 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in Brother BRAgent version 1.38's 'WBA_Agent_Client' Windows service. Because the service executable path contains spaces and is not enclosed in quotes, an attacker with local access can place a malicious executable in a directory path segment that Windows interprets before the legitimate service executable. When the service starts, it executes the malicious code with elevated LocalSystem privileges, allowing privilege escalation. [1, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with local access to execute arbitrary code with system-level privileges on the affected machine. This can lead to full control over the system, including compromising confidentiality, integrity, and availability of data and services. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths in Windows services, specifically the 'WBA_Agent_Client' service. You can use Windows Management Instrumentation Command-line (WMIC) and Service Control (sc) commands to identify services with unquoted paths that start automatically and are not located in the Windows directory. For example, use the command: wmic service get name,pathname,startmode | findstr /i "WBA_Agent_Client" to find the service path, and then check if the path is unquoted. Additionally, use sc qc WBA_Agent_Client to query the service configuration and verify if the executable path is unquoted. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enclosing the service executable path in quotes to prevent path parsing issues. Specifically, update the 'WBA_Agent_Client' service path from an unquoted path like C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe to a quoted path "C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe". This can be done by editing the service configuration using the sc command or registry editor. Additionally, ensure that only trusted users have write permissions to directories in the service path to prevent malicious executable placement. If possible, apply any vendor patches or updates addressing this issue. [1, 3]