CVE-2020-36935
Unquoted Service Path Vulnerability in KMSpico Enables Code Execution
Publication date: 2026-01-25
Last updated on: 2026-01-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | kmspico | 17.1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in KMSpico version 17.1.0.0, specifically in the 'Service KMSELDI'. The service executable path "C:\Program Files\KMSpico\Service_KMS.exe" is not enclosed in quotes. Because the path contains spaces and is unquoted, a local attacker with limited privileges can place a malicious executable in a location that Windows might execute instead of the intended service binary. This allows the attacker to execute arbitrary code with elevated privileges. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges by executing arbitrary code with elevated rights. This means the attacker can gain higher-level access on the affected system, potentially compromising confidentiality, integrity, and availability of the system and its data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the service configuration for unquoted service paths, specifically for the 'Service KMSELDI'. On a Windows system, use the command: sc qc KMSELDI. This will display the binary path of the service. If the path contains spaces and is not enclosed in quotes, it is vulnerable. For example, if the path is C:\Program Files\KMSpico\Service_KMS.exe without quotes, the service is vulnerable to this issue. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the service configuration to enclose the executable path in quotes. For example, change the service binary path to "C:\Program Files\KMSpico\Service_KMS.exe". This prevents Windows from misinterpreting the path and executing malicious executables placed in the path. Additionally, restrict local user permissions to prevent unauthorized users from placing executables in the service path directories. [2]