CVE-2020-36936 Overview
CVE-2020-36936 is an unquoted service path vulnerability affecting Magic Mouse 2 Utilities version 2.20. This Windows service configuration flaw allows local attackers to exploit the unquoted path to inject malicious executables into the service execution chain, potentially gaining elevated system privileges.
Unquoted service path vulnerabilities occur when Windows services are configured with executable paths containing spaces that are not enclosed in quotation marks. Windows parses these paths by attempting to locate executables at each space-delimited segment, creating an opportunity for attackers to plant malicious executables that will be executed with the service's privileges.
Critical Impact
Attackers with local access can achieve privilege escalation to SYSTEM-level privileges by placing a malicious executable in the service path, enabling complete system compromise.
Affected Products
- Magic Mouse 2 Utilities version 2.20
- Windows systems running the MagicMouseService
Discovery Timeline
- 2026-01-25 - CVE CVE-2020-36936 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2020-36936
Vulnerability Analysis
The vulnerability exists within the Magic Mouse 2 Utilities installation, specifically in how the MagicMouseService Windows service is registered. When the service executable path contains spaces and is not properly quoted in the Windows registry, Windows attempts to resolve the path in multiple ways.
For example, if a service path is configured as C:\Program Files\Magic Mouse\MagicMouseService.exe, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files\Magic.exe
- C:\Program Files\Magic Mouse\MagicMouseService.exe
This parsing behavior enables an attacker with write access to C:\ or C:\Program Files\ to place a malicious executable named Program.exe or Magic.exe that will execute with the service's privileges when the service starts or restarts.
Root Cause
The root cause is CWE-428: Unquoted Search Path or Element. The Magic Mouse 2 Utilities installer fails to enclose the service executable path in quotation marks when registering the Windows service in the system registry. This configuration oversight allows Windows path resolution behavior to be exploited for privilege escalation.
Attack Vector
This is a local attack vector requiring the attacker to have write access to directories in the service path hierarchy. The attack typically follows these steps:
- Attacker identifies the unquoted service path in the Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\MagicMouseService
- Attacker determines writable directories along the path
- Attacker crafts a malicious executable and places it at a path segment before the legitimate service executable
- When the service restarts (either manually triggered or during system reboot), Windows executes the malicious binary with SYSTEM privileges
- The attacker achieves full system compromise
Technical details and a proof-of-concept are available from Exploit-DB #49017.
Detection Methods for CVE-2020-36936
Indicators of Compromise
- Unexpected executable files in C:\ or C:\Program Files\ directories with names like Program.exe or Magic.exe
- Anomalous processes spawned as children of the MagicMouseService
- Registry modifications to the MagicMouseService configuration
- Unexpected SYSTEM-level process execution traced back to service paths
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^".*"$' -and $_.PathName -match ' ' }
- Monitor file creation events in root directories and Program Files for executables matching path segments
- Implement behavioral detection for privilege escalation patterns associated with service exploitation
- Use SentinelOne's Storyline technology to correlate suspicious process execution chains originating from Windows services
Monitoring Recommendations
- Enable audit logging for file creation in C:\ and C:\Program Files\ directories
- Monitor Windows Event Log for Service Control Manager events (Event ID 7045 for new service installations)
- Implement endpoint detection rules for unexpected executables in common exploitation paths
- Deploy file integrity monitoring on directories commonly targeted by unquoted service path attacks
How to Mitigate CVE-2020-36936
Immediate Actions Required
- Audit all installed Windows services for unquoted paths containing spaces
- Restrict write permissions to C:\ and C:\Program Files\ directories to administrative accounts only
- Consider uninstalling Magic Mouse 2 Utilities if not required, or replace with an updated version if available
- Monitor the system for signs of exploitation pending permanent remediation
Patch Information
There is no confirmed vendor patch available in the CVE data. Users should check the Magic Mouse Utilities Home page for potential updates or security advisories. Additionally, refer to the VulnCheck Security Advisory for the latest vulnerability details.
Workarounds
- Manually fix the unquoted service path by modifying the registry to add quotation marks around the ImagePath value
- Remove write permissions for non-administrative users from directories in the service path
- Configure application whitelisting to prevent unauthorized executable execution from common exploitation directories
- Deploy endpoint protection solutions that can detect and block privilege escalation attempts
# Registry fix to quote the service path (run as Administrator)
# First, verify the current unquoted path:
reg query "HKLM\SYSTEM\CurrentControlSet\Services\MagicMouseService" /v ImagePath
# Then update with quoted path (adjust the path to match your installation):
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MagicMouseService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Magic Mouse\MagicMouseService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
