CVE-2020-36958
Unknown Unknown - Not Provided
Unquoted Service Path in KiteService Allows Local Code Execution

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: VulnCheck

Description
Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36958
EUVD
EUVD-2020-30852
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor kite 1.2020.1119.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an unquoted service path issue in the KiteService Windows service of Kite version 1.2020.1119.0. Because the service executable path 'C:\Program Files\Kite\KiteService.exe' is not enclosed in quotes, a local attacker can exploit this by placing malicious executables in certain locations within the path. When the system tries to start the service, it may execute the malicious code instead of the legitimate service executable, allowing the attacker to run arbitrary code with elevated privileges. [1, 3]

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code on the affected system with elevated privileges by exploiting the unquoted service path. This means the attacker can escalate their privileges, potentially gaining control over the system, compromising confidentiality, integrity, and availability of data and system resources. [1, 3]

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in Windows services, specifically for the 'KiteService'. Commands such as Windows Management Instrumentation Command-line (WMIC) and Service Control (sc) can be used to identify services with unquoted paths that start automatically and are not located in the Windows directory. For example, using 'wmic service get name,pathname,startmode' to list services and their paths, and 'sc qc KiteService' to query the configuration of the KiteService can help detect the unquoted path issue. [1]

Mitigation Strategies

Immediate mitigation steps include correcting the unquoted service path by enclosing the service executable path in quotes to prevent path hijacking. For the KiteService, the path 'C:\Program Files\Kite\KiteService.exe' should be updated to '"C:\Program Files\Kite\KiteService.exe"'. Additionally, restricting local user permissions to prevent unauthorized placement of executables in the service path directories can reduce risk. If possible, disabling or uninstalling the vulnerable KiteService until a patched version is available is recommended. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart