CVE-2020-36928 Overview
CVE-2020-36928 is an unquoted service path vulnerability affecting Brother BRAgent version 1.38. The WBA_Agent_Client service runs with LocalSystem privileges and contains an unquoted service path in C:\Program Files (x86)\Brother\BRAgent\. This vulnerability allows local attackers to inject and execute malicious code with elevated system permissions by placing a specially crafted executable in the path.
Critical Impact
Attackers with local access can leverage the unquoted service path to escalate privileges to LocalSystem, enabling complete system compromise and persistent access.
Affected Products
- Brother BRAgent version 1.38
- WBA_Agent_Client Windows service
Discovery Timeline
- 2026-01-16 - CVE CVE-2020-36928 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2020-36928
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). When Windows services are installed with executable paths containing spaces that are not enclosed in quotation marks, the operating system parses the path incorrectly. The WBA_Agent_Client service runs with LocalSystem privileges, the highest privilege level on Windows systems, making successful exploitation particularly severe.
The service path C:\Program Files (x86)\Brother\BRAgent\ contains spaces but lacks proper quotation marks. When Windows attempts to start this service, it sequentially attempts to execute binaries at truncated path locations before reaching the intended executable.
Root Cause
The root cause of CVE-2020-36928 is improper service registration during Brother BRAgent installation. The installer failed to wrap the service executable path in quotation marks when configuring the Windows service. This programming oversight in the installation routine allows the Windows Service Control Manager to misinterpret the intended binary path, creating opportunities for path interception attacks.
Attack Vector
This is a local attack vector requiring the attacker to have write access to specific directories in the system path. When the service starts (either at system boot or when manually triggered), Windows parses the unquoted path by looking for executables at each space boundary.
For the path C:\Program Files (x86)\Brother\BRAgent\WBA_Agent_Client.exe, Windows will attempt to execute in order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\Brother\BRAgent\WBA_Agent_Client.exe
If an attacker can place a malicious Program.exe in the C:\ directory (which typically requires some level of local access), the malicious binary will execute with LocalSystem privileges when the service starts. Detailed technical information can be found in the VulnCheck Advisory and Exploit-DB #50010.
Detection Methods for CVE-2020-36928
Indicators of Compromise
- Presence of unexpected executables named Program.exe or Files.exe in the C:\ root directory
- Unusual binaries in C:\Program Files (x86)\Brother\ named with partial path components
- Service execution logs showing WBA_Agent_Client spawning unexpected child processes
- New or modified executables in system paths with names matching path traversal patterns
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -like "* *" -and $_.PathName -notlike '"*'}
- Monitor file creation events in C:\ root directory for executables matching service path components
- Audit Brother BRAgent service configuration for proper path quotation
- Implement file integrity monitoring on directories along the service path
Monitoring Recommendations
- Enable Windows Security Event logging for service start/stop events (Event IDs 7000, 7009, 7045)
- Configure endpoint detection to alert on unusual binary execution from C:\ root directory
- Monitor for privilege escalation attempts from user-level accounts to SYSTEM
- Track process creation chains originating from the WBA_Agent_Client service
How to Mitigate CVE-2020-36928
Immediate Actions Required
- Audit the WBA_Agent_Client service path and manually add quotation marks to the registry entry
- Remove any suspicious executables from C:\ root directory and C:\Program Files (x86)\Brother\
- Restrict write permissions on C:\ root directory to administrators only
- Consider temporarily disabling the BRAgent service if not critical to operations
Patch Information
Organizations should consult Brother's official resources for updated software versions. Review the Brother Help Documentation for information about BRAgent functionality and potential updates. The VulnCheck Advisory provides additional remediation guidance.
Workarounds
- Manually correct the service path by editing the registry at HKLM\SYSTEM\CurrentControlSet\Services\WBA_Agent_Client to include proper quotation marks
- Implement application whitelisting to prevent unauthorized executables from running in system paths
- Deploy endpoint protection solutions that detect unquoted service path exploitation attempts
- Restrict local write access to directories that intersect with the vulnerable service path
# Configuration example - Fix unquoted service path via registry
# Run as Administrator in Command Prompt:
sc qc WBA_Agent_Client
reg query "HKLM\SYSTEM\CurrentControlSet\Services\WBA_Agent_Client" /v ImagePath
# If unquoted, update with:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WBA_Agent_Client" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Brother\BRAgent\WBA_Agent_Client.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
