CVE-2020-37017
Unquoted Service Path in CodeMeter 6.60 Enables Privilege Escalation
Publication date: 2026-01-29
Last updated on: 2026-02-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wibu-systems | codemeter | 6.60 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37017 is an unquoted service path vulnerability in CodeMeter version 6.60. The CodeMeter Runtime Server service executable path contains spaces but is not enclosed in quotes, which allows a local attacker to place a malicious executable in a directory along the path. When the service starts, this malicious code can be executed with elevated LocalSystem privileges, enabling arbitrary code execution with high system access. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute arbitrary code with SYSTEM-level privileges. This can compromise the confidentiality, integrity, and availability of the affected system, potentially leading to full system compromise or unauthorized control over software licensing and related services managed by CodeMeter. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unquoted service paths in the CodeMeter Runtime Server service executable path. Specifically, you can query Windows Management Instrumentation (WMI) to identify services with auto-start mode and unquoted paths that contain spaces, excluding system directories. For example, using PowerShell, you can run commands to list services with unquoted paths such as: Get-WmiObject win32_service | Where-Object { $_.PathName -like '* *' -and $_.PathName -notlike '"*"*' } | Select-Object Name, PathName. Then, verify if the CodeMeter Runtime Server service executable path is unquoted (e.g., C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe). This detection helps identify if the service is vulnerable to path injection attacks. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent malicious code injection. Specifically, update the service configuration to quote the path to CodeMeter.exe, for example: "C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe". Additionally, restrict write permissions on directories in the service path to prevent unauthorized users from placing malicious executables. If possible, update CodeMeter Runtime software to a version where this vulnerability is fixed or apply vendor-provided patches. As a temporary measure, consider disabling or stopping the CodeMeter Runtime Server service if it is not critical to operations until the issue is resolved. [1, 3]