CVE-2020-37129
Insecure Folder Permissions in Memu Play Allows SYSTEM Privilege Escalation
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microvirt | memu_play | 7.1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37129 is a vulnerability in Memu Play version 7.1.3 caused by insecure folder permissions. It allows low-privileged users to modify the MemuService.exe executable because the folder containing this service executable has unrestricted file modification permissions.
An attacker with local access can replace the legitimate MemuService.exe with a malicious file. Since this service runs with SYSTEM-level privileges and is configured to start automatically at system boot, the malicious executable will run with those high privileges after a system restart, enabling privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges and local access to escalate their privileges to SYSTEM level on the affected machine.
- The attacker can replace the MemuService.exe with a malicious executable that runs with the highest system privileges.
- Upon system restart, the malicious executable runs automatically, giving the attacker full control over the system.
- This can lead to complete system compromise, including unauthorized access to sensitive data, system manipulation, and disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the folder permissions of the directory containing MemuService.exe, typically located at "C:\\Program Files (x86)\\Microvirt\\MEmu\\". Specifically, you should verify if low-privileged users or the "Authenticated Users" group have modify or full control permissions on this folder or the MemuService.exe file.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use the following commands to inspect permissions:'}, {'type': 'list_item', 'content': 'Use the command `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\MemuService.exe"` to view the access control list (ACL) for the executable.'}, {'type': 'list_item', 'content': 'Use `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\"` to check the folder permissions.'}, {'type': 'paragraph', 'content': 'If the output shows that the "Users" or "Authenticated Users" groups have modify or full control permissions, the system is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should restrict the folder and file permissions of the MemuService.exe executable and its containing directory to prevent modification by low-privileged users.'}, {'type': 'list_item', 'content': 'Remove modify or full control permissions for the "Users" or "Authenticated Users" groups on the folder "C:\\Program Files (x86)\\Microvirt\\MEmu\\" and the MemuService.exe file.'}, {'type': 'list_item', 'content': 'Ensure that only Administrators and the SYSTEM account have full control permissions on these files and folders.'}, {'type': 'paragraph', 'content': 'Additionally, consider monitoring the integrity of MemuService.exe and related files to detect unauthorized changes.'}, {'type': 'paragraph', 'content': 'If possible, apply any official patches or updates from the vendor that address this insecure permission issue.'}] [1, 2]