CVE-2020-36984 Overview
CVE-2020-36984 is an unquoted service path vulnerability affecting EPSON Printer Software version 1.124. The vulnerability exists in the SENADB service, which allows local attackers to execute arbitrary code with elevated system privileges. By exploiting the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\, attackers can inject malicious executables that will run with LocalSystem permissions.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM level by placing a malicious executable in the unquoted service path, enabling complete system compromise.
Affected Products
- EPSON Printer Software version 1.124
- EPSON Status Monitor (SENADB Service)
- Systems with EPSON_P2B Printer Software installed
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36984 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36984
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with an executable path containing spaces and the path is not enclosed in quotation marks, Windows attempts to locate the executable by parsing the path at each space. This behavior can be exploited by placing a malicious executable at one of these parsed locations.
In this case, the SENADB service path C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ contains multiple spaces. Windows will sequentially attempt to execute C:\Program.exe, then C:\Program Files.exe, then C:\Program Files (x86)\EPSON_P2B\Printer.exe, and so on. An attacker with write access to any of these intermediate locations can place a malicious executable that will be executed with the privileges of the service—in this case, LocalSystem.
Root Cause
The root cause of this vulnerability is improper configuration of the service path in the Windows registry. The SENADB service was registered without enclosing the executable path in quotation marks. This is a common oversight during software installation when developers fail to account for paths containing spaces. The Windows SCM (Service Control Manager) requires paths with spaces to be quoted; otherwise, it parses the path incrementally at each space character.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target system. The attacker must have write permissions to one of the directories in the parsed path hierarchy. Successful exploitation allows the attacker to escalate privileges from a standard user account to LocalSystem, granting full control over the compromised system. This makes the vulnerability particularly dangerous in multi-user environments or systems where standard users have write access to common directories.
The exploitation process involves placing a malicious executable (such as Program.exe or Printer.exe) in a location that Windows will check before reaching the legitimate service executable. When the service starts or restarts, the malicious payload executes with SYSTEM privileges.
Detection Methods for CVE-2020-36984
Indicators of Compromise
- Unexpected executables named Program.exe, Printer.exe, or Status.exe in C:\, C:\Program Files (x86)\, or C:\Program Files (x86)\EPSON_P2B\ directories
- Service start events for SENADB service followed by unusual process spawning activity
- New or modified executable files in the EPSON installation path hierarchy with recent timestamps
Detection Strategies
- Query Windows services for unquoted paths using wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ to identify vulnerable configurations
- Monitor the Windows Event Log for service start events (Event ID 7036) associated with the SENADB service
- Implement file integrity monitoring for the EPSON installation directories and parent paths
Monitoring Recommendations
- Deploy endpoint detection rules to alert on executable creation in C:\Program Files (x86)\EPSON_P2B\ outside of authorized software deployment windows
- Enable Windows Defender Application Control or AppLocker policies to restrict executable execution in non-standard directories
- Configure SentinelOne to monitor for privilege escalation patterns associated with service abuse
How to Mitigate CVE-2020-36984
Immediate Actions Required
- Audit the affected system for the presence of malicious executables in the unquoted path hierarchy
- Manually quote the service path in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENADB
- Restrict write permissions on directories along the service path to administrators only
- Consider disabling the SENADB service if it is not required for printer functionality
Patch Information
Users should check for updated drivers and software from the Epson Support Drivers and Manuals page. Additional technical details about this vulnerability can be found in the Exploit-DB #48965 entry and the VulnCheck Advisory on Epson.
Workarounds
- Manually fix the registry entry by adding quotation marks around the ImagePath value for the SENADB service
- Remove write permissions for non-administrative users from C:\Program Files (x86)\ and subdirectories
- Implement application whitelisting to prevent unauthorized executables from running in affected directories
# Registry fix to quote the service path (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SENADB" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\SEKSMDBExe.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
