CVE-2020-37016
Unknown Unknown - Not Provided
Unquoted Service Path in BarcodeOCR 19.3.6 Enables Privilege Escalation

Publication date: 2026-01-29

Last updated on: 2026-01-29

Assigner: VulnCheck

Description
BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37016
EUVD
EUVD-2020-30920
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
barcodeocr barcodeocr 19.3.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37016 is an unquoted service path vulnerability in BarcodeOCR version 19.3.6. This means that the service executable path is not enclosed in quotes, allowing local attackers to place malicious executables in directories along the service path. When the system starts, these malicious executables can be run with elevated LocalSystem privileges, enabling attackers to execute arbitrary code with high-level control over the system. [2, 3]

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges by executing arbitrary code with LocalSystem privileges during system startup. This means the attacker can gain full control over the affected system, potentially leading to unauthorized access, data manipulation, or disruption of system operations. [2, 3]

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the BarcodeOCR service configuration. Commands such as WMIC (Windows Management Instrumentation Command-line) and service query commands can be used to identify unquoted service paths. For example, using WMIC to query the service executable path and inspecting if the path is not enclosed in quotes can reveal the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent execution of malicious executables. Additionally, restricting local user permissions to prevent unauthorized file placement in directories along the service path and applying any available patches or updates from the vendor are recommended. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart