CVE-2020-36952
Unquoted Service Path Vulnerability in IObit Uninstaller Enables Privilege Escalation
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iobit | iobit_uninstaller | 10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in IObit Uninstaller 10 Pro. The service executable path contains spaces but is not enclosed in quotation marks, which causes Windows to misinterpret the path. This allows a local attacker to insert malicious code into higher-priority directories that Windows executes during service startup. As a result, the attacker can execute arbitrary code with SYSTEM-level privileges. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to execute code with elevated SYSTEM-level privileges on the affected machine. This means the attacker can gain full control over the system, potentially installing malware, stealing data, or disrupting system operations. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for unquoted service paths in the IObit Uninstaller Service. Specifically, look for the service named "IObitUnSvr" and verify if its executable path contains spaces but is not enclosed in quotation marks. On a Windows system, you can use the following command in an elevated command prompt or PowerShell to list services with unquoted paths: sc qc IObitUnSvr If the BINARY_PATH_NAME output contains spaces and is not enclosed in quotes, the service is vulnerable. Alternatively, you can use PowerShell to find all services with unquoted paths containing spaces: Get-WmiObject win32_service | Where-Object { $_.PathName -match ' ' -and $_.PathName -notmatch '"' } | Select-Object Name, PathName This will help identify services with unquoted paths that could be exploited. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately enclose the service executable path in quotation marks to prevent Windows from misinterpreting the path. For the IObit Uninstaller Service "IObitUnSvr", update the service configuration so that the binary path is quoted, for example: "C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe" This prevents attackers from inserting malicious executables in higher-priority directories. Additionally, restrict local user permissions to prevent unauthorized file writes in system paths. Applying the latest patches or updates from IObit, if available, is also recommended. [3]