CVE-2020-37058 Overview
Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. This vulnerability is classified as CWE-428 (Unquoted Search Path or Element).
Critical Impact
Local attackers can achieve privilege escalation to LocalSystem by placing a malicious executable in a path location that Windows will execute before the intended service binary.
Affected Products
- Andrea ST Filters Service 1.0.64.7
- Windows systems with Andrea ST Filters Service installed
- Audio processing systems utilizing Andrea Electronics drivers
Discovery Timeline
- 2026-01-30 - CVE CVE-2020-37058 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2020-37058
Vulnerability Analysis
The Andrea ST Filters Service installs a Windows service with an unquoted executable path. When the Windows Service Control Manager (SCM) attempts to start the service, it parses the unquoted path string and may locate and execute a different executable than intended if the path contains spaces. This allows a local attacker with write access to directories earlier in the path hierarchy to place a malicious binary that Windows will execute instead of the legitimate service executable.
The vulnerability requires local access and the ability to write files to specific directory locations within the service path. When successfully exploited, the attacker-controlled code executes with LocalSystem privileges, which is typically the highest privilege level on a Windows system, providing complete control over the compromised machine.
Root Cause
The root cause is improper service registration that fails to enclose the service executable path in quotation marks. When a Windows service path contains spaces (such as C:\Program Files\...) and is not properly quoted, the Windows SCM interprets the path ambiguously. For example, a path like C:\Program Files\Andrea Electronics\Service.exe can be interpreted as attempting to execute C:\Program.exe first, then C:\Program Files\Andrea.exe, before finally reaching the intended executable.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the system. The attacker must identify a writable directory location within the unquoted service path hierarchy. Once identified, the attacker places a malicious executable with an appropriate filename (such as Program.exe in C:\ or another truncated path variant). When the service starts or restarts, Windows executes the malicious binary with LocalSystem privileges.
The exploitation process involves identifying the vulnerable service path using tools like wmic service get name,displayname,pathname,startmode, locating a writable directory in the path, and placing a malicious payload. Additional technical details and proof-of-concept information are available in the Exploit-DB #48396 entry and the VulnCheck Advisory.
Detection Methods for CVE-2020-37058
Indicators of Compromise
- Unexpected executables in root directories such as C:\Program.exe or C:\Program Files\Andrea.exe
- Service startup failures or unusual service behavior for Andrea ST Filters Service
- New executable files appearing in directories along the unquoted service path
- Unexpected processes running with SYSTEM privileges associated with path hijacking
Detection Strategies
- Monitor for creation of new executables in C:\ or C:\Program Files\ directories that do not match known legitimate software
- Implement file integrity monitoring on directories within the Andrea ST Filters service path
- Use SIEM rules to detect service path enumeration commands such as wmic service get pathname
- Deploy endpoint detection rules for suspicious binary placement in common hijacking locations
Monitoring Recommendations
- Enable Windows Event Log auditing for file creation events in sensitive directories
- Configure SentinelOne behavioral AI to detect privilege escalation attempts via service path manipulation
- Regularly audit Windows services for unquoted paths using PowerShell or third-party security tools
- Monitor for suspicious service restarts that may indicate exploitation attempts
How to Mitigate CVE-2020-37058
Immediate Actions Required
- Audit the system for vulnerable unquoted service paths using wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\""
- Restrict write permissions on directories in the service path hierarchy
- Update the service registry entry to include quotation marks around the service path
- Deploy SentinelOne endpoint protection with behavioral monitoring enabled
Patch Information
No vendor patch has been identified in the available references. Administrators should contact Andrea Electronics for updated software or implement manual remediation. Review the VulnCheck Advisory for the latest remediation guidance.
Workarounds
- Manually quote the service path in the Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath
- Remove write permissions for standard users on all directories within the unquoted service path
- Consider disabling the service if it is not critical to operations until a proper fix is available
- Implement application whitelisting to prevent execution of unauthorized binaries
# Registry fix to quote the service path (run as Administrator in PowerShell)
# First, identify the current ImagePath value, then update with quoted path
# Example: reg query "HKLM\SYSTEM\CurrentControlSet\Services\AndreaSTFilters" /v ImagePath
# reg add "HKLM\SYSTEM\CurrentControlSet\Services\AndreaSTFilters" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Andrea Electronics\ST Filters Service\Service.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
