CVE-2020-37102
Unquoted Service Path in Adaware WCAssistantService Enables Code Execution
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lavasoft | web_companion | 4.9.2159 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local attackers to execute arbitrary code with LocalSystem privileges, potentially compromising confidentiality, integrity, and availability of the affected system.
Such a compromise could lead to unauthorized access or modification of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "Adaware Web Companion version 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService. This means the service's executable path is not enclosed in quotes, which on Windows systems can be exploited by local attackers."}, {'type': 'paragraph', 'content': 'Because the path contains spaces and is unquoted, an attacker can place a malicious executable in a location that Windows will search before the legitimate service executable. When the service starts, the malicious executable is run instead.'}, {'type': 'paragraph', 'content': 'This vulnerability allows local attackers to execute arbitrary code with LocalSystem privileges during service startup.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute arbitrary code with the highest system privileges (LocalSystem).
Such an exploit can compromise the confidentiality, integrity, and availability of the affected system, potentially leading to full system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking the service path of the 'WCAssistantService' on Windows systems to see if it is unquoted and contains spaces."}, {'type': 'paragraph', 'content': 'A common method is to query the service configuration to inspect the binary path. For example, using the Windows command line, you can run:'}, {'type': 'list_item', 'content': 'sc qc WCAssistantService'}, {'type': 'paragraph', 'content': 'If the binary path shown is not enclosed in quotes and contains spaces (e.g., C:\\Program Files\\Lavasoft\\Web Companion\\Application\\Lavasoft.WCAssistant.WinService.exe), the service is vulnerable to unquoted service path exploitation.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately ensure that the service binary path is enclosed in quotes to prevent execution of malicious executables placed in the path.
Alternatively, update or patch Adaware Web Companion to a version where this vulnerability is fixed.
As a temporary measure, restrict local user permissions to prevent unauthorized users from placing executables in directories that are part of the service path.