CVE-2020-37045 Overview
CVE-2020-37045 is an unquoted service path vulnerability affecting Veritas NetBackup 7.0. The vulnerability exists in the NetBackup INET Daemon service (bpinetd.exe) where the service executable path is not properly enclosed in quotation marks. This configuration flaw allows local attackers to potentially execute arbitrary code by placing malicious executables in specific locations along the unquoted path, which would then execute with elevated LocalSystem privileges.
Critical Impact
Local privilege escalation to SYSTEM-level access through malicious executable injection in unquoted service path
Affected Products
- Veritas NetBackup 7.0
- NetBackup INET Daemon Service (bpinetd.exe)
- Systems with NetBackup installed at C:\Program Files\Veritas\NetBackup\bin\
Discovery Timeline
- 2026-02-01 - CVE-2020-37045 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37045
Vulnerability Analysis
This vulnerability stems from CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration issue. When the NetBackup INET Daemon service is registered with Windows, the path to the executable C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe is stored without enclosing quotation marks.
Due to how Windows parses executable paths containing spaces, the operating system attempts to locate executables in a predictable sequence when spaces exist in the path. An attacker with local access can exploit this behavior by placing a malicious executable at one of the intermediate path locations that Windows checks before reaching the legitimate service binary.
The vulnerability requires local access to the system and the ability to write files to specific directories. Upon successful exploitation, the malicious code executes with LocalSystem privileges—the highest privilege level on Windows systems—providing complete control over the affected machine.
Root Cause
The root cause of this vulnerability is the improper registration of the Windows service without proper quoting of the executable path. When a service path contains spaces and is not enclosed in quotation marks, Windows interprets the path ambiguously. For the path C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe, Windows will sequentially attempt to execute:
- C:\Program.exe
- C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
This behavior allows an attacker to place a malicious Program.exe in the C:\ root directory, which would execute before the legitimate service binary.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target system. The attacker must have write permissions to a directory in the search path, such as the root of the C: drive. Once a malicious executable is placed at an appropriate location, it will be executed the next time the vulnerable service starts—either during system boot, service restart, or manual service invocation.
The exploitation mechanism involves creating an executable named Program.exe in the C:\ directory. When the NetBackup INET Daemon service starts, Windows parses the unquoted path and attempts to execute C:\Program.exe before the legitimate binary, resulting in arbitrary code execution under the LocalSystem context.
Detection Methods for CVE-2020-37045
Indicators of Compromise
- Unexpected executables named Program.exe in the C:\ root directory
- Unknown executables appearing in C:\Program Files\Veritas\ directory
- Suspicious service behavior or unexpected child processes spawned by bpinetd.exe
- Anomalous process execution under the SYSTEM account context
Detection Strategies
- Query Windows service configurations using wmic service get name,pathname and identify services with unquoted paths containing spaces
- Monitor file creation events in the C:\ root directory and other system directories for suspicious executables
- Deploy endpoint detection rules to alert on new executable files created outside of standard installation directories
- Audit service registry keys under HKLM\SYSTEM\CurrentControlSet\Services for unquoted ImagePath values
Monitoring Recommendations
- Enable process creation auditing (Event ID 4688) with command-line logging to track service startup behavior
- Implement file integrity monitoring for critical directories including C:\ and C:\Program Files\
- Configure alerts for service configuration changes and new service registrations
- Review SentinelOne's behavioral AI detections for privilege escalation attempts and suspicious service-related activities
How to Mitigate CVE-2020-37045
Immediate Actions Required
- Audit all installed services for unquoted service path vulnerabilities using tools like PowerShell or third-party security scanners
- Check for unauthorized executables in C:\ and C:\Program Files\Veritas\ directories
- Restrict write permissions on the C:\ root directory to administrators only
- Contact Veritas support for guidance on patching or upgrading affected NetBackup installations
Patch Information
Consult Veritas official resources for security updates addressing this vulnerability. The Veritas Company Homepage provides access to security advisories and software updates. Additionally, review the VulnCheck Advisory on NetBackup for detailed technical information. The Exploit-DB #48227 entry contains additional exploitation details that may inform defensive measures.
Workarounds
- Manually fix the service path by adding quotation marks around the ImagePath value in the Windows registry
- Implement application whitelisting to prevent unauthorized executables from running
- Use SentinelOne's endpoint protection to detect and block privilege escalation attempts
- Restrict local user permissions to prevent writing to system directories
# Registry fix to quote the service path (run as Administrator)
# PowerShell command to update the service path
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBackup INET Daemon" -Name "ImagePath" -Value '"C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
