CVE-2020-36987 Overview
Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. This vulnerability (CWE-428) enables attackers to exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions, resulting in complete system compromise.
Critical Impact
Local attackers can achieve privilege escalation to LocalSystem by placing a malicious executable in the service path, gaining full control over the affected system during startup or reboot operations.
Affected Products
- Program Access Controller 1.2.0.0
- PACService.exe component
- Gearbox Computers Program Access Controller software
Discovery Timeline
- 2026-01-28 - CVE-2020-36987 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36987
Vulnerability Analysis
This vulnerability exists due to improper handling of service executable paths in the Program Access Controller application. When Windows services are configured with paths containing spaces but lacking proper quotation marks, the operating system's path resolution mechanism can be exploited. The PACService.exe service path is not properly enclosed in quotation marks, creating an opportunity for attackers with local access to place malicious executables in strategic locations along the path hierarchy.
The exploitation requires local access to the system with sufficient permissions to write files to directories within the unquoted service path. Upon system startup or service restart, Windows will attempt to resolve the path and may execute the attacker's malicious binary instead of the legitimate service executable, running with the service's configured privileges (LocalSystem in this case).
Root Cause
The root cause is an unquoted service path configuration (CWE-428) in the Windows service registration for PACService.exe. When a service path contains spaces and is not enclosed in quotation marks, Windows uses a predictable algorithm to locate the executable, checking for executables at each space boundary in the path. This creates opportunities for an attacker to place a malicious executable at any of these intermediate path locations.
Attack Vector
The attack requires local access to the target system. An attacker must identify writable directories within the unquoted service path and place a malicious executable file named to match one of the path segments that Windows will check during service path resolution. The malicious code executes with LocalSystem privileges when the service is started, typically during system boot or manual service restart, allowing the attacker to gain complete control over the system.
For technical exploitation details and proof-of-concept information, refer to Exploit-DB #48966 and the VulnCheck Advisory.
Detection Methods for CVE-2020-36987
Indicators of Compromise
- Unexpected executable files appearing in directories along the Program Access Controller installation path
- Suspicious processes spawned by the PACService.exe service with anomalous behavior
- New or modified executables in C:\Program Files\ or similar path segments that don't match known software installations
- Unusual network connections or system modifications occurring immediately after system startup
Detection Strategies
- Use Windows Management Instrumentation (WMI) queries to identify services with unquoted paths: wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
- Monitor for file creation events in directories that could be exploited for unquoted service path attacks
- Implement application whitelisting to prevent unauthorized executables from running with elevated privileges
- Deploy endpoint detection and response (EDR) solutions to identify suspicious privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event IDs 4697, 7045)
- Monitor for process creation events where parent process is a Windows service and child process is unexpected
- Configure alerts for file writes to system directories by non-administrative users
- Regularly audit service configurations to identify unquoted paths across all installed services
How to Mitigate CVE-2020-36987
Immediate Actions Required
- Audit the Program Access Controller service configuration and add quotation marks around the service executable path in the Windows Registry
- Remove any suspicious executables found in directories along the service path
- Restrict write permissions on directories that could be targeted by this vulnerability
- Consider temporarily disabling the affected service if not critical to operations until a proper fix is applied
Patch Information
Review the vendor advisory from Gearbox Computers for official patch availability. Users should visit the Gearbox Computers Homepage for updated software versions that address this vulnerability. The VulnCheck Advisory provides additional remediation guidance.
Workarounds
- Manually correct the service path by adding quotation marks around the executable path in the Windows Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PACService
- Implement strict access controls on directories within the service path to prevent unauthorized file creation
- Use Windows Software Restriction Policies or AppLocker to prevent execution of unauthorized binaries
- Deploy endpoint protection solutions that can detect and block unquoted service path exploitation attempts
# Registry fix example - add quotes around service path
# Run as Administrator in Command Prompt
reg query "HKLM\SYSTEM\CurrentControlSet\Services\PACService" /v ImagePath
# If unquoted, update with:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PACService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Gearbox Computers\Program Access Controller\PACService.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
