CVE-2020-37059
Unknown Unknown - Not Provided
Unquoted Service Path in Popcorn Time Allows Privilege Escalation

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37059
EUVD
EUVD-2020-30955
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
popcorn_time popcorn_time 6.2.1.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include correcting the service path by quoting the executable path in the service configuration to prevent the system from misinterpreting the path. Additionally, restrict write permissions to directories like "Program Files (x86)" and the system root to prevent local users from placing malicious executables. Applying any available updates or patches from the vendor is also recommended. [1, 2]

Executive Summary

CVE-2020-37059 is an unquoted service path vulnerability in Popcorn Time version 6.2.1.14. This flaw allows local non-privileged users to execute arbitrary code with elevated SYSTEM-level privileges by placing malicious executables in directories like "Program Files (x86)" or the system root. Because the service path is unquoted and contains spaces, the system may incorrectly resolve the executable path during service startup, leading to privilege escalation. [1, 2]

Impact Analysis

This vulnerability can allow a local attacker with limited privileges to escalate their rights to SYSTEM-level privileges on the affected machine. By exploiting the unquoted service path, an attacker can execute malicious code with the highest system privileges, potentially leading to full system compromise, unauthorized access, and control over the system. [1, 2]

Detection Guidance

You can detect this vulnerability by checking the service configuration for an unquoted service path. On Windows, use the command: sc qc "Update service". This command will show the binary path of the service. If the path is unquoted and contains spaces (e.g., C:\Program Files (x86)\Popcorn Time\Updater.exe), the system is vulnerable to this unquoted service path issue. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart