CVE-2020-36979 Overview
CVE-2020-36979 is an unquoted service path vulnerability affecting Atheros Coex Service Application version 8.0.0.255. This vulnerability exists in the Windows service configuration where the executable path is not properly enclosed in quotation marks. Attackers with local access can exploit this misconfiguration by placing malicious executables in strategic locations along the service path, potentially gaining elevated SYSTEM privileges when the service starts or restarts.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM level by exploiting the unquoted service path, enabling complete system compromise on affected Windows machines running the vulnerable Atheros Coex Service.
Affected Products
- Atheros Coex Service Application version 8.0.0.255
- Windows systems with ZAtheros BTWlan Coex Agent service installed
- Systems using ath_coexagent.exe process
Discovery Timeline
- 2026-01-27 - CVE CVE-2020-36979 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36979
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a well-known Windows service misconfiguration issue. When a Windows service is configured with an executable path containing spaces but lacking proper quotation marks, the Windows Service Control Manager (SCM) parses the path ambiguously. This creates an opportunity for attackers to inject malicious executables that the system will execute instead of the intended service binary.
The Atheros Coex Service Application, used for Bluetooth and WLAN coexistence management on systems with Atheros wireless adapters, runs with elevated SYSTEM privileges. The service executable ath_coexagent.exe is typically installed in a path containing spaces (such as C:\Program Files\...), making it susceptible to this attack when the path is unquoted.
Root Cause
The root cause of this vulnerability is improper service registration in the Windows registry. When the service was configured, the ImagePath registry value under HKLM\SYSTEM\CurrentControlSet\Services\ZAtheros Bt&Wlan Coex Agent was set without enclosing the full path in double quotes. This is a common oversight during software installation that can have serious security implications.
Windows parses unquoted paths by testing each space-delimited segment. For a path like C:\Program Files\Atheros\service.exe, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files\Atheros\service.exe
Attack Vector
The attack requires local access to the target system with sufficient permissions to write files to directories within the service path hierarchy. An attacker would craft a malicious executable and place it in a location that Windows will evaluate before reaching the legitimate service binary.
The exploitation workflow involves identifying the vulnerable service configuration, creating a malicious payload named to match an intermediate path segment (e.g., Program.exe), placing it in the appropriate directory (e.g., C:\), and then triggering a service restart or waiting for system reboot. When the service starts, the malicious executable runs with SYSTEM privileges.
For detailed technical information about this vulnerability, refer to the Exploit-DB entry #49053 and the VulnCheck Advisory.
Detection Methods for CVE-2020-36979
Indicators of Compromise
- Presence of unexpected executables named Program.exe in the C:\ root directory
- Suspicious executables in C:\Program Files\ directories that don't match legitimate software
- Unexpected process execution events with SYSTEM privileges originating from non-standard paths
- Registry modifications to service ImagePath values
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in C:\ and C:\Program Files\ for executables with suspicious names like Program.exe
- Implement endpoint detection rules for process execution from unexpected paths with SYSTEM context
- Use SentinelOne's behavioral AI to detect privilege escalation attempts via service manipulation
Monitoring Recommendations
- Enable Windows Security Event logging for service configuration changes (Event ID 7045)
- Configure file integrity monitoring on system directories to detect unauthorized executable placement
- Deploy SentinelOne agents with real-time behavioral analysis to identify exploitation attempts
- Regularly audit service configurations for unquoted path vulnerabilities using automated scanning tools
How to Mitigate CVE-2020-36979
Immediate Actions Required
- Audit all Windows services on affected systems for unquoted path vulnerabilities
- Manually correct the service path by adding quotation marks to the registry ImagePath value
- Remove any suspicious executables found in potential hijack locations (C:\Program.exe, etc.)
- Consider disabling the ZAtheros Bt&Wlan Coex Agent service if not required for system operation
Patch Information
No vendor patch has been identified for this vulnerability. The Atheros Coex Service Application version 8.0.0.255 remains vulnerable. Organizations should implement manual remediation by correcting the service path configuration in the Windows registry. Refer to the VulnCheck Advisory for additional guidance.
Workarounds
- Manually fix the registry entry by enclosing the service path in double quotes
- Restrict write permissions on directories in the service path hierarchy to prevent executable placement
- Implement application whitelisting to block execution of unauthorized binaries
- Use the principle of least privilege to limit accounts that can write to system directories
# Registry fix example (run as Administrator in Command Prompt)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\ZAtheros Bt&Wlan Coex Agent" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Atheros\ath_coexagent.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
