CVE-2020-36957
Unquoted Service Path in PDF Complete pdfsvc.exe Enables Privilege Escalation
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pdf_complete | pdf_complete | 3.5.310.2002 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36957 is an unquoted service path vulnerability in the pdfsvc.exe service of PDF Complete version 3.5.310.2002. Because the service path is unquoted and contains spaces, an attacker with local access can exploit this by placing a malicious executable in a path that the system might execute instead of the legitimate service binary. This allows the attacker to inject and execute malicious code with elevated LocalSystem privileges, effectively escalating their privileges on the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute malicious code with LocalSystem privileges. This means the attacker can gain full control over the affected system, potentially compromising confidentiality, integrity, and availability of data and system resources. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by querying Windows Management Instrumentation (WMI) and Service Control Manager (SCM) to identify services with unquoted paths running with auto-start mode, specifically filtering for the 'pdfsvc' service. For example, you can use PowerShell commands such as: Get-WmiObject win32_service | Where-Object { $_.PathName -like '*pdfsvc*' -and $_.StartMode -eq 'Auto' } to find the service and check if the executable path is unquoted and contains spaces. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent path hijacking. Alternatively, restrict local user permissions to prevent placing malicious executables in paths that could be executed by the vulnerable service. Ensuring the service runs with the least privileges necessary and applying any available updates or patches from the vendor is also recommended. [1, 2]