CVE-2020-37060
Unknown Unknown - Not Provided
Unquoted Service Path LPE in Atomic Alarm Clock

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37060
EUVD
EUVD-2020-30954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
drive_software atomic_alarm_clock 6.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

You can detect this vulnerability by checking for unquoted service paths related to Atomic Alarm Clock's service named "AtomicAlarmClock". Specifically, look for the service executable path that is unquoted and includes spaces, which allows path hijacking. On a Windows system, you can use the command: sc qc AtomicAlarmClock to query the service configuration and inspect the binary path for unquoted spaces. Additionally, you can search for the presence of a malicious "Program.exe" in directories along the service path, especially the root of the system drive. [2, 3]

Executive Summary

This vulnerability in Atomic Alarm Clock 6.3 is a local privilege escalation issue caused by an unquoted service path in its service configuration. Because the service path is not properly quoted, an attacker with local access can place a malicious executable named 'Program.exe' in a directory along the service path. When the service starts, it may execute this malicious executable with SYSTEM-level privileges, allowing the attacker to run arbitrary code with the highest system privileges and gain persistent system-level access. [2, 3]

Impact Analysis

This vulnerability can allow an attacker with limited local privileges to escalate their privileges to SYSTEM level, which is the highest level of privilege on a Windows system. This means the attacker can execute arbitrary code with full control over the system, potentially leading to persistent unauthorized access, system compromise, data theft, or disruption of system availability. [2, 3]

Mitigation Strategies

Immediate mitigation steps include correcting the service path by properly quoting the executable path in the service configuration to prevent path hijacking. Alternatively, restrict write permissions on directories along the service path, especially the root of the system drive, to prevent placing malicious executables like "Program.exe". Also, monitor and remove any unauthorized "Program.exe" files in these directories. If possible, update or patch Atomic Alarm Clock to a version that addresses this vulnerability. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart