CVE-2020-37055 Overview
CVE-2020-37055 is an unquoted service path vulnerability in SpyHunter 4 that allows local users to potentially execute arbitrary code with elevated system privileges. This security flaw occurs when Windows services are registered with executable paths containing spaces but without proper quotation marks, enabling attackers to exploit the service startup mechanism for privilege escalation.
Attackers can exploit this vulnerability by placing malicious executables in specific file system locations along the unquoted path. When the vulnerable service starts, Windows may execute the attacker's malicious binary instead of the intended service executable, resulting in code execution with SYSTEM-level privileges.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level access by exploiting the unquoted service path, potentially compromising the entire host system.
Affected Products
- SpyHunter 4 (Enigma Software)
Discovery Timeline
- 2026-02-01 - CVE CVE-2020-37055 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37055
Vulnerability Analysis
This vulnerability falls under CWE-428 (Unquoted Search Path or Element), a class of security flaws that affect Windows services with improperly configured executable paths. When a Windows service is registered with a path that contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager (SCM) interprets the path ambiguously during service startup.
For example, if a service is registered with the path C:\Program Files\SpyHunter\Service.exe, Windows will attempt to execute binaries in the following order:
- C:\Program.exe
- C:\Program Files\SpyHunter\Service.exe
If an attacker can write a malicious executable named Program.exe to the C:\ directory, it will be executed with the privileges of the service account—typically SYSTEM—before the legitimate service binary.
Root Cause
The root cause of CVE-2020-37055 is the improper registration of the SpyHunter service during installation. The service executable path was stored in the Windows registry without enclosing quotation marks, despite containing spaces in the directory structure. This configuration oversight allows the Windows SCM to misinterpret the intended executable location.
Attack Vector
This is a local attack vector vulnerability that requires the attacker to have write access to a directory within the unquoted path (such as C:\ or another directory before the intended service location). The attack unfolds as follows:
- The attacker identifies the unquoted service path in the Windows registry
- The attacker places a malicious executable at an earlier location in the path resolution order
- Upon service restart (manually triggered or during system reboot), the malicious executable runs with SYSTEM privileges
- The attacker gains elevated access to the compromised system
The vulnerability exploitation requires local access and the ability to write files to specific directories, which may require existing low-privilege access to the target system. For additional technical details regarding this vulnerability, refer to the Exploit-DB #48172 entry and the VulnCheck Advisory on SpyHunter.
Detection Methods for CVE-2020-37055
Indicators of Compromise
- Unexpected executables in root directories (e.g., C:\Program.exe, C:\Common.exe)
- Suspicious service restart events in Windows Event Logs
- New process executions with SYSTEM privileges from unusual file paths
- Modification timestamps on files in path directories preceding the SpyHunter installation folder
Detection Strategies
- Query Windows services registry keys for unquoted paths containing spaces using PowerShell or WMI
- Monitor file system changes in common exploitation directories (C:\, C:\Program Files\)
- Implement endpoint detection rules for executables written to root directories
- Use SentinelOne's behavioral AI to detect anomalous service execution patterns
Monitoring Recommendations
- Enable Windows Event Log auditing for service start/stop events (Event ID 7036)
- Configure file integrity monitoring on sensitive directories along common service paths
- Deploy SentinelOne agents with real-time behavioral analysis enabled
- Establish baseline monitoring for service-related registry key modifications
How to Mitigate CVE-2020-37055
Immediate Actions Required
- Audit all Windows services for unquoted paths containing spaces using built-in tools or security scanners
- Restrict write permissions on root directories and common path exploitation locations
- Consider uninstalling SpyHunter 4 if a patched version is not available
- Implement application allowlisting to prevent unauthorized executable execution
Patch Information
Organizations should contact Enigma Software directly through their official website to inquire about patched versions of SpyHunter that address this vulnerability. If no patch is available, consider migrating to an alternative security solution.
Workarounds
- Manually correct the service path by adding quotation marks around the executable path in the Windows registry (HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath)
- Restrict write access to C:\ and other directories that appear before the legitimate service path
- Implement strict directory permission policies using Group Policy Objects (GPO)
- Deploy SentinelOne endpoint protection to detect and block exploitation attempts in real-time
# PowerShell command to identify unquoted service paths
Get-WmiObject Win32_Service | Where-Object { $_.PathName -match '^[^"].*\s.*[^"]$' } | Select-Object Name, PathName
# Example registry fix (run as Administrator)
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SpyHunterService" -Name "ImagePath" -Value '"C:\Program Files\SpyHunter\Service.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
