CVE-2020-37253
Received Received - Intake
Unquoted Service Path in Winstep Xtreme Service

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2020-37253
EUVD
EUVD-2020-31254
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
winstep winstep_xtreme_service 18.06.0096
winstep winstep 18.06.0096
winstep winstep to 18.06.0096 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37253 is an unquoted service path vulnerability found in Winstep version 18.06.0096 and earlier, specifically in the Winstep Xtreme Service (WsxService).

Because the service executable path contains spaces but is not enclosed in quotes, local attackers can place malicious executables in the Program Files directory. When the service starts, it may mistakenly execute these malicious files with LocalSystem (SYSTEM) privileges.

This flaw allows attackers to escalate their privileges on the affected system by executing arbitrary code with elevated rights.

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges to LocalSystem level, which is the highest privilege level on a Windows system.

By exploiting this flaw, an attacker can execute arbitrary code with elevated privileges, potentially gaining full control over the affected system.

  • Unauthorized access to sensitive data.
  • Ability to install persistent malware or backdoors.
  • Disruption or manipulation of system operations.
Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the Winstep Xtreme Service executable path. Specifically, you need to verify if the service path contains spaces and is not enclosed in quotes, which allows exploitation.

On a Windows system, you can use the following command to check the service path for unquoted spaces:

  • sc qc WsxService

Review the output for the BINARY_PATH_NAME field. If the path contains spaces and is not enclosed in quotes, the service is vulnerable.

Alternatively, you can use PowerShell to find all services with unquoted paths containing spaces:

  • Get-WmiObject win32_service | Where-Object { $_.PathName -match ' ' -and $_.PathName -notmatch '"' } | Select-Object Name, PathName
Mitigation Strategies

To mitigate this vulnerability immediately, you should correct the unquoted service path by enclosing the executable path in quotes. This prevents the system from misinterpreting the path and executing malicious files placed in directories with spaces.

Specifically, update the service configuration to quote the executable path, for example:

  • sc config WsxService binPath= ""C:\Program Files\Winstep\WsxService.exe""

Additionally, ensure that no unauthorized or suspicious executables exist in the Program Files directory or any directories referenced by the service path.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart