CVE-2020-36953: MiniTool ShadowMaker Privilege Escalation

CVE-2020-36953 Overview

MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\MiniTool ShadowMaker\AgentService.exe to inject malicious executables and escalate privileges. This vulnerability is classified under CWE-428 (Unquoted Search Path or Element).

Critical Impact
Local attackers with limited privileges can exploit this unquoted service path to place malicious executables in the Windows path and achieve privilege escalation to SYSTEM level when the vulnerable service restarts.

Affected Products

MiniTool ShadowMaker version 3.2
MTAgentService component
Systems running vulnerable MiniTool ShadowMaker installations

Discovery Timeline

2026-01-26 - CVE-2020-36953 published to NVD
2026-01-27 - Last updated in NVD database

Technical Details for CVE-2020-36953

Vulnerability Analysis

The vulnerability exists due to an unquoted service path in the MTAgentService component of MiniTool ShadowMaker 3.2. When Windows services are configured with executable paths containing spaces but lacking proper quotation marks, the operating system interprets the path ambiguously. In this case, the service path C:\Program Files\MiniTool ShadowMaker\AgentService.exe is not enclosed in quotes.

Windows attempts to resolve unquoted paths by testing multiple interpretations sequentially. For this vulnerable path, Windows will attempt to execute in order: C:\Program.exe, then C:\Program Files\MiniTool.exe, then C:\Program Files\MiniTool ShadowMaker\AgentService.exe. An attacker who can write to C:\ or C:\Program Files\ can place a malicious executable named Program.exe or MiniTool.exe that will be executed with the service's privileges—typically SYSTEM.

Root Cause

The root cause of this vulnerability is improper service registration during MiniTool ShadowMaker installation. The installer failed to enclose the service executable path in quotation marks when registering the MTAgentService with the Windows Service Control Manager. This configuration oversight allows the path parsing ambiguity that enables exploitation.

Attack Vector

The attack requires local access to the target system. An attacker with write permissions to directories in the unquoted path hierarchy can plant a malicious executable. When the vulnerable service starts or restarts (such as during system boot or service recovery), Windows will execute the planted malicious binary with elevated SYSTEM privileges instead of the legitimate service executable.

The exploitation process involves:

Identifying the unquoted service path in the Windows registry or via service enumeration tools
Creating a malicious executable (e.g., reverse shell payload)
Placing the executable at a valid interception point (e.g., C:\Program.exe or C:\Program Files\MiniTool.exe)
Waiting for service restart or triggering a restart through other means
Achieving code execution with SYSTEM privileges

For detailed technical analysis and proof-of-concept information, refer to the Exploit-DB entry #49336 and the VulnCheck Advisory.

Detection Methods for CVE-2020-36953

Indicators of Compromise

Presence of unexpected executables named Program.exe or MiniTool.exe in the C:\ or C:\Program Files\ directories
Unusual process execution chains originating from service startup contexts
New or modified files in path interception locations created by non-administrative users
Service crash events followed by unexpected process spawning

Detection Strategies

Run PowerShell or WMI queries to enumerate services with unquoted paths: wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
Monitor file creation events in C:\ and C:\Program Files\ for executables not associated with legitimate software installations
Use endpoint detection tools to alert on service binary path modifications or suspicious service configurations
Implement application whitelisting to prevent unauthorized executables from running in privileged contexts

Monitoring Recommendations

Enable Windows Security Event logging for service configuration changes (Event ID 7045)
Monitor for process creation events where parent process is services.exe but child process hash is unrecognized
Configure file integrity monitoring on directories within common unquoted path interception points
Alert on privilege escalation patterns where low-privilege users create files subsequently executed by SYSTEM

How to Mitigate CVE-2020-36953

Immediate Actions Required

Audit the MTAgentService registry entry and manually add quotation marks around the executable path
Review all installed services for similar unquoted path vulnerabilities using enumeration scripts
Restrict write permissions on C:\ and C:\Program Files\ directories to administrative users only
Consider temporarily disabling the MTAgentService if not critical to operations until a proper fix is applied

Patch Information

Organizations should check with MiniTool for updated versions of ShadowMaker that properly quote the service path during installation. Visit the MiniTool official website for the latest software releases and security updates. If no patched version is available, apply the manual registry fix described below.

Workarounds

Manually fix the service path by modifying the registry key at HKLM\SYSTEM\CurrentControlSet\Services\MTAgentService to include quotes around the ImagePath value
Implement strict access control lists (ACLs) on directories that could be exploited for path interception
Use application control policies (Windows Defender Application Control or AppLocker) to prevent unauthorized binary execution
Monitor and alert on any file creation in root directories and common interception paths

bash

# Configuration example - PowerShell command to fix unquoted service path
# Run as Administrator to add quotes around the service path

$servicePath = 'HKLM:\SYSTEM\CurrentControlSet\Services\MTAgentService'
$currentPath = (Get-ItemProperty -Path $servicePath).ImagePath
$fixedPath = '"C:\Program Files\MiniTool ShadowMaker\AgentService.exe"'
Set-ItemProperty -Path $servicePath -Name ImagePath -Value $fixedPath
Write-Host "Service path updated from: $currentPath"
Write-Host "Service path updated to: $fixedPath"

CVE-2020-36953 Overview

Critical Impact
Local attackers with limited privileges can exploit this unquoted service path to place malicious executables in the Windows path and achieve privilege escalation to SYSTEM level when the vulnerable service restarts.

Affected Products

MiniTool ShadowMaker version 3.2
MTAgentService component
Systems running vulnerable MiniTool ShadowMaker installations

Discovery Timeline

2026-01-26 - CVE-2020-36953 published to NVD
2026-01-27 - Last updated in NVD database

Technical Details for CVE-2020-36953

Vulnerability Analysis

Root Cause

Attack Vector

The exploitation process involves:

Identifying the unquoted service path in the Windows registry or via service enumeration tools
Creating a malicious executable (e.g., reverse shell payload)
Placing the executable at a valid interception point (e.g., C:\Program.exe or C:\Program Files\MiniTool.exe)
Waiting for service restart or triggering a restart through other means
Achieving code execution with SYSTEM privileges

For detailed technical analysis and proof-of-concept information, refer to the Exploit-DB entry #49336 and the VulnCheck Advisory.

Detection Methods for CVE-2020-36953

Indicators of Compromise

Presence of unexpected executables named Program.exe or MiniTool.exe in the C:\ or C:\Program Files\ directories
Unusual process execution chains originating from service startup contexts
New or modified files in path interception locations created by non-administrative users
Service crash events followed by unexpected process spawning

Detection Strategies

Run PowerShell or WMI queries to enumerate services with unquoted paths: wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
Monitor file creation events in C:\ and C:\Program Files\ for executables not associated with legitimate software installations
Use endpoint detection tools to alert on service binary path modifications or suspicious service configurations
Implement application whitelisting to prevent unauthorized executables from running in privileged contexts

Monitoring Recommendations

Enable Windows Security Event logging for service configuration changes (Event ID 7045)
Monitor for process creation events where parent process is services.exe but child process hash is unrecognized
Configure file integrity monitoring on directories within common unquoted path interception points
Alert on privilege escalation patterns where low-privilege users create files subsequently executed by SYSTEM

How to Mitigate CVE-2020-36953

Immediate Actions Required

Audit the MTAgentService registry entry and manually add quotation marks around the executable path
Review all installed services for similar unquoted path vulnerabilities using enumeration scripts
Restrict write permissions on C:\ and C:\Program Files\ directories to administrative users only
Consider temporarily disabling the MTAgentService if not critical to operations until a proper fix is applied

Patch Information

Workarounds

Manually fix the service path by modifying the registry key at HKLM\SYSTEM\CurrentControlSet\Services\MTAgentService to include quotes around the ImagePath value
Implement strict access control lists (ACLs) on directories that could be exploited for path interception
Use application control policies (Windows Defender Application Control or AppLocker) to prevent unauthorized binary execution
Monitor and alert on any file creation in root directories and common interception paths

bash

# Configuration example - PowerShell command to fix unquoted service path
# Run as Administrator to add quotes around the service path

$servicePath = 'HKLM:\SYSTEM\CurrentControlSet\Services\MTAgentService'
$currentPath = (Get-ItemProperty -Path $servicePath).ImagePath
$fixedPath = '"C:\Program Files\MiniTool ShadowMaker\AgentService.exe"'
Set-ItemProperty -Path $servicePath -Name ImagePath -Value $fixedPath
Write-Host "Service path updated from: $currentPath"
Write-Host "Service path updated to: $fixedPath"

CVE-2020-36953: MiniTool ShadowMaker Privilege Escalation

CVE-2020-36953 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-36953

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-36953

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-36953

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2020-36953: MiniTool ShadowMaker Privilege Escalation

CVE-2020-36953 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-36953

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-36953

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-36953

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform