CVE-2020-36975 Overview
EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability (CWE-428) that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE to inject malicious executables and escalate privileges on affected Windows systems.
Critical Impact
Local privilege escalation through unquoted service path exploitation could allow attackers to gain elevated system privileges and execute malicious code in the context of the EPSON service.
Affected Products
- EPSON Status Monitor 3 version 8.0
- Systems with EPSON printer software utilizing the EPW!3SSRP service component
- Windows environments running affected EPSON monitoring utilities
Discovery Timeline
- 2026-01-27 - CVE CVE-2020-36975 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36975
Vulnerability Analysis
This vulnerability stems from improper handling of the Windows service executable path configuration. When Windows services are registered with paths containing spaces that are not enclosed in quotation marks, the operating system's path resolution mechanism can be exploited to execute unintended binaries.
The vulnerable service path C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE contains multiple space-separated directories without proper quoting. Windows attempts to resolve this path by sequentially testing various interpretations, starting with C:\Program.exe, then C:\Program Files\Common.exe, and so forth. An attacker with local write access to any of these intermediate locations can plant a malicious executable that will be executed with the privileges of the service.
Root Cause
The root cause of CVE-2020-36975 is the failure to properly quote the service binary path during installation or configuration of EPSON Status Monitor 3. When the service path is registered in the Windows Service Control Manager without enclosing quotes, Windows interprets spaces in the path as argument delimiters rather than part of the directory structure. This is a common misconfiguration issue classified under CWE-428 (Unquoted Search Path or Element).
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to have local access to the affected system. The exploitation process involves identifying writable directories along the unquoted service path and placing a malicious executable with a name that matches Windows' path resolution order.
For example, if an attacker can write to C:\, they could create a file named Program.exe. When the EPSON service starts or restarts, Windows would execute C:\Program.exe instead of the legitimate service binary. Since services typically run with elevated privileges (often as SYSTEM), this allows privilege escalation from a standard user account.
The attack requires:
- Local access to the target system
- Write permissions to a directory in the path resolution sequence
- The ability to trigger a service restart (or wait for system reboot)
Technical details and proof-of-concept information can be found in the Exploit-DB #49141 advisory.
Detection Methods for CVE-2020-36975
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Common.exe, or similar in root directories or C:\Program Files\
- Unusual process execution originating from EPSON service contexts
- Unexpected child processes spawned by E_S60RPB.EXE or related EPSON services
- File creation events in C:\ or C:\Program Files\ with executable extensions
Detection Strategies
- Monitor Windows Service Control Manager for services with unquoted paths containing spaces using PowerShell queries or specialized tools
- Implement file integrity monitoring on directories commonly targeted by unquoted path attacks (C:\, C:\Program Files\)
- Configure endpoint detection rules to alert on executable file creation in root directories
- Audit service configurations during security assessments using tools like wmic service get name,displayname,pathname,startmode
Monitoring Recommendations
- Enable Windows Event Logging for service creation and modification (Event ID 7045)
- Monitor process creation events (Event ID 4688) for unexpected executables running with SYSTEM privileges
- Configure SentinelOne behavioral AI to detect privilege escalation patterns associated with service exploitation
- Implement periodic automated scanning for unquoted service path vulnerabilities across the environment
How to Mitigate CVE-2020-36975
Immediate Actions Required
- Audit all EPSON-related Windows services for unquoted paths using the registry editor or command-line tools
- Restrict write permissions on C:\ and C:\Program Files\ directories to administrators only
- Monitor for suspicious executable files in directories along the service path
- Consider temporarily disabling the vulnerable service if not critical to operations
Patch Information
Administrators should check the Epson Official Website for updated versions of Status Monitor 3 that address this vulnerability. Additionally, review the VulnCheck Advisory: Epson PMRPCV for detailed remediation guidance.
If no vendor patch is available, manual remediation of the service path is recommended by adding quotation marks around the binary path in the Windows registry.
Workarounds
- Manually correct the service path by adding quotes around the executable path in the registry at HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath
- Implement application whitelisting to prevent unauthorized executables from running
- Use SentinelOne's Singularity platform to detect and block exploitation attempts through behavioral analysis
- Apply principle of least privilege to limit user write access to system directories
# Configuration example
# PowerShell command to identify unquoted service paths
Get-WmiObject win32_service | Where-Object {$_.PathName -like '* *' -and $_.PathName -notlike '"*"' -and $_.PathName -notlike '*svchost*'} | Select-Object Name, PathName, StartMode
# Fix the unquoted path via registry (run as Administrator)
# reg add "HKLM\SYSTEM\CurrentControlSet\Services\EPSON_PM_RPCV4_06" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
