CVE-2020-36974 Overview
CVE-2020-36974 is an unquoted service path vulnerability in Realtek Andrea RT Filters 1.0.64.7 that allows local users to potentially execute arbitrary code with elevated system privileges. The vulnerability exists because the Windows service path C:\Program Files\IDT\WDM\AESTSr64.exe is not properly quoted, enabling attackers to place malicious executables in strategic locations that Windows will execute before the legitimate service binary.
Critical Impact
Local attackers can exploit this unquoted service path to achieve privilege escalation to SYSTEM level, potentially gaining complete control over the affected system during service startup or system reboot.
Affected Products
- Realtek Andrea RT Filters 1.0.64.7
- IDT WDM Audio Driver components using AESTSr64.exe service
- Systems with vulnerable Realtek audio driver installations
Discovery Timeline
- 2026-01-27 - CVE CVE-2020-36974 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36974
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element), a common Windows privilege escalation technique. When a Windows service is configured with a path containing spaces but without proper quotation marks, the operating system's path resolution algorithm can be exploited. Windows parses the unquoted path by attempting to execute each space-separated segment as a potential executable, creating opportunities for malicious code injection.
The affected service path C:\Program Files\IDT\WDM\AESTSr64.exe contains a space in "Program Files." Without quotes, Windows will first attempt to execute C:\Program.exe, then C:\Program Files\IDT\WDM\AESTSr64.exe. If an attacker can place a malicious Program.exe in the root of the C: drive, it will execute with the privileges of the service—typically SYSTEM level for audio driver services.
Root Cause
The root cause is improper service registration during Realtek Andrea RT Filters installation. The service configuration was created without enclosing the executable path in quotation marks, violating Windows security best practices for service path definitions. This oversight allows the Windows Service Control Manager (SCM) to misinterpret the intended executable path when spaces are present.
Attack Vector
The attack requires local access to the system with write permissions to a directory in the path resolution chain. An attacker with standard user privileges can:
- Create a malicious executable named Program.exe in C:\ (if permissions allow)
- Alternatively, create C:\Program Files\IDT\WDM.exe if that path is writable
- Wait for a service restart or system reboot
- The malicious code executes with elevated SYSTEM privileges
Since this is a local attack vector, the attacker must already have some level of access to the target system. However, successful exploitation results in complete privilege escalation from a low-privileged user to SYSTEM, making it valuable for post-compromise escalation scenarios.
Detection Methods for CVE-2020-36974
Indicators of Compromise
- Unexpected executables in C:\ root directory, particularly Program.exe
- Suspicious executables in C:\Program Files\ that don't match legitimate software
- Unusual process creation events from service startup with SYSTEM privileges
- File creation timestamps in path resolution directories that don't align with legitimate installations
Detection Strategies
- Monitor for file creation events in C:\ root and C:\Program Files\ directories using Windows Security Event ID 4663
- Use WMIC queries to identify all services with unquoted paths: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
- Implement endpoint detection rules for process spawning from unusual locations with SYSTEM privileges
- Deploy SentinelOne behavioral AI to detect privilege escalation attempts via service path abuse
Monitoring Recommendations
- Configure audit policies for file system changes in sensitive directories
- Establish baseline behavior for service executables and alert on anomalies
- Monitor Windows Event ID 7045 for new service installations and validate quoted paths
- Implement continuous vulnerability scanning to identify systems with affected Realtek driver versions
How to Mitigate CVE-2020-36974
Immediate Actions Required
- Audit all systems for the presence of Realtek Andrea RT Filters 1.0.64.7
- Verify the service path configuration using sc qc AESTSrv command
- Manually correct the service path by adding quotation marks around the executable path
- Restrict write permissions on the C:\ root directory and C:\Program Files\ folder
Patch Information
Organizations should check the Realtek Official Site for updated driver versions that address this vulnerability. The VulnCheck Advisory for Realtek provides additional technical details and remediation guidance. Technical details about the vulnerability exploitation can be found in Exploit-DB #49158.
Workarounds
- Manually fix the service path using the Registry Editor or sc config command to add quotes
- Implement application whitelisting to prevent unauthorized executables from running
- Use Group Policy to restrict write access to directories in common exploitation paths
- Deploy SentinelOne to detect and block privilege escalation attempts in real-time
# Fix unquoted service path via command line
sc config "AESTSrv" binPath= "\"C:\Program Files\IDT\WDM\AESTSr64.exe\""
# Verify the fix was applied correctly
sc qc AESTSrv
# Alternative: Registry fix (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\AESTSrv" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\IDT\WDM\AESTSr64.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
