CVE-2020-37098
Unknown Unknown - Not Provided
Unquoted Service Path in Disk Sorter Enterprise Enables Privilege Escalation

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37098
EUVD
EUVD-2020-30978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
disk_sorter disk_sorter_enterprise to 12.4.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37098 is an unquoted service path vulnerability found in Disk Sorter Enterprise version 12.4.16 and earlier. This flaw occurs because the service executable path is not enclosed in quotes, allowing local attackers to place malicious executables in a location that the system searches before the legitimate service executable.

When the service starts, it may execute the malicious executable with elevated system privileges, specifically with LocalSystem permissions, which grants full control over the affected system.

Impact Analysis

Exploitation of this vulnerability allows a local attacker to execute arbitrary code with elevated privileges on the affected system.

  • Attackers can gain LocalSystem level access, which is the highest privilege level on Windows systems.
  • This can lead to full system compromise, including unauthorized access, modification, or destruction of data.
  • Malicious code can be injected and executed automatically when the vulnerable service starts.
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the service configuration for unquoted service paths. Specifically, you need to verify if the executable path of the Disk Sorter Enterprise service is not enclosed in quotes.'}, {'type': 'list_item', 'content': 'Use the command `wmic service get name, pathname, startmode` to list services along with their executable paths and start modes.'}, {'type': 'list_item', 'content': 'Use the command `sc qc "Disk Sorter Enterprise"` to query the configuration of the Disk Sorter Enterprise service and check if the executable path is unquoted.'}] [2]

Mitigation Strategies

To mitigate this vulnerability, immediately update the service configuration to enclose the executable path in quotes. This prevents attackers from injecting malicious executables in the service path.

Additionally, ensure that only trusted users have local access to the system, as exploitation requires local access.

If possible, update Disk Sorter Enterprise to a version where this vulnerability is fixed or apply any vendor-provided patches.

Compliance Impact

The vulnerability allows local attackers to execute arbitrary code with elevated system privileges, potentially leading to full system compromise.

Such a compromise could result in unauthorized access, modification, or destruction of sensitive data, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding data confidentiality, integrity, and availability.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart