CVE-2020-36935: KMSpico Privilege Escalation Vulnerability

CVE-2020-36935 Overview

CVE-2020-36935 is an unquoted service path vulnerability affecting KMSpico 17.1.0.0, a widely distributed Windows activation tool. The vulnerability exists in the Service KMSELDI configuration where the binary path C:\Program Files\KMSpico\Service_KMS.exe is not properly quoted. This configuration flaw allows local attackers with limited privileges to potentially execute arbitrary code and escalate privileges on affected systems.

Critical Impact

Local attackers can exploit this unquoted service path to inject malicious executables into the file system, achieving privilege escalation and arbitrary code execution when the vulnerable service starts.

Affected Products

• KMSpico 17.1.0.0
• Service KMSELDI (Windows Service Component)
• Systems with KMSpico installed in default directory paths containing spaces

Discovery Timeline

• 2026-01-25 - CVE CVE-2020-36935 published to NVD
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2020-36935

Vulnerability Analysis

This vulnerability is classified as CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with a binary path that contains spaces and is not enclosed in quotation marks, Windows interprets the path ambiguously during service startup. The operating system attempts to locate and execute binaries by progressively parsing the path at each space character.

For the path C:\Program Files\KMSpico\Service_KMS.exe, Windows will first attempt to execute C:\Program.exe, then C:\Program Files\KMSpico\Service_KMS.exe. If an attacker can place a malicious executable named Program.exe in the C:\ root directory, that malicious binary will execute instead of the intended service executable.

Since Windows services typically run with elevated SYSTEM privileges, successful exploitation grants the attacker high-level access to the compromised system, enabling complete system compromise including access to sensitive data, lateral movement, and persistence mechanisms.

Root Cause

The root cause stems from improper service configuration during KMSpico installation. The service path was registered in the Windows Service Control Manager without proper quotation marks around the executable path. This is a common oversight in software installers that do not validate or sanitize registry entries for service paths containing spaces.

Attack Vector

The attack requires local access to the target system with write permissions to directories that appear in the truncated path search sequence. An attacker must:

1. Identify the unquoted service path in the Windows Service configuration
2. Determine which intermediary paths can be written to (e.g., C:\Program.exe)
3. Place a malicious executable at the exploitable location
4. Wait for the service to restart or trigger a service restart

The vulnerability manifests when Windows parses the unquoted service path during service initialization. When the Service KMSELDI starts, Windows attempts to locate the executable by parsing the path C:\Program Files\KMSpico\Service_KMS.exe at space boundaries. For detailed exploitation techniques, refer to the Exploit-DB #49003 entry and the VulnCheck Advisory.

Detection Methods for CVE-2020-36935

Indicators of Compromise

• Presence of unexpected executables in C:\ root directory such as Program.exe
• Unusual service startup failures or behavior changes in KMSELDI service
• Windows Event Log entries showing execution of binaries from unexpected locations
• Registry modifications to service ImagePath values

Detection Strategies

• Audit Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
• Monitor file creation events in root directories and common exploitation paths (C:\Program.exe, C:\Program Files\KMSpico\Service.exe)
• Implement application whitelisting to prevent unauthorized executables from running
• Use endpoint detection solutions to flag privilege escalation attempts

Monitoring Recommendations

• Enable Windows Security Event Logging for service configuration changes (Event ID 7045)
• Monitor for process creation events from service accounts executing unexpected binaries
• Set up alerts for file system changes in system-critical directories
• Review installed services periodically for unquoted path vulnerabilities

How to Mitigate CVE-2020-36935

Immediate Actions Required

• Audit all systems for KMSpico installations and remove the software if present
• Correct the service path by adding quotation marks around the ImagePath registry value
• Restrict write permissions on root directories and common exploit paths
• Consider removing unauthorized activation tools in favor of legitimate licensing

Patch Information

No official patch is available from the vendor for this vulnerability. KMSpico is an unofficial third-party tool, and users should consider removing the software entirely. The service path can be manually corrected by modifying the Windows Registry to enclose the ImagePath in quotation marks.

For additional technical details, consult the VulnCheck Advisory on KMSPico.

Workarounds

• Manually fix the unquoted service path in the Windows Registry by navigating to HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI and adding quotes around the ImagePath value
• Remove KMSpico and use legitimate Windows activation methods
• Implement strict file system permissions preventing write access to C:\ root directory
• Deploy endpoint protection solutions that detect and block privilege escalation techniques

# Configuration example - Fix unquoted service path via Registry
# Run as Administrator in Command Prompt

# Verify current service path
reg query "HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI" /v ImagePath

# Correct the path by adding quotation marks
reg add "HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\KMSpico\Service_KMS.exe\"" /f