CVE-2020-37059 Overview
CVE-2020-37059 is an unquoted service path vulnerability in Popcorn Time 6.2.1.14 that allows local non-privileged users to potentially execute code with elevated system privileges. This vulnerability arises when the Windows service path contains spaces but is not enclosed in quotation marks, enabling attackers to insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup.
Critical Impact
Local attackers can achieve privilege escalation to SYSTEM-level permissions by placing a malicious executable in a path that Windows will attempt to execute before the legitimate service binary.
Affected Products
- Popcorn Time 6.2.1.14
- Popcorn Time Update Service component
Discovery Timeline
- 2026-01-30 - CVE CVE-2020-37059 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2020-37059
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with an executable path that contains spaces but is not properly enclosed in quotation marks, Windows attempts to parse the path by inserting breaks at each space. This parsing behavior can be exploited by attackers who have local access to the system.
For example, if the service path is configured as C:\Program Files (x86)\Popcorn Time\Update Service\service.exe, Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\Popcorn.exe
- C:\Program Files (x86)\Popcorn Time\Update.exe
An attacker with write access to any of these intermediate paths can place a malicious executable that will be run with the service's privileges—typically SYSTEM.
Root Cause
The root cause is improper configuration of the Windows service path in the Popcorn Time Update Service. The service path contains spaces but lacks proper quotation marks around the full path string. This is a common Windows service misconfiguration that has persisted across many applications.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target system. The attacker must be able to write to one of the directories Windows will check during path resolution—typically C:\ or C:\Program Files (x86)\. While these directories often have restricted write permissions, certain misconfigurations or additional vulnerabilities could provide the necessary access. Once a malicious executable is placed, it will execute with SYSTEM privileges when the Popcorn Time Update Service starts or restarts.
The exploitation scenario involves placing a crafted executable (such as Program.exe in C:\) that will be invoked before the legitimate service binary. The malicious executable can then perform actions with elevated privileges, including creating new administrator accounts, installing backdoors, or exfiltrating sensitive data.
Detection Methods for CVE-2020-37059
Indicators of Compromise
- Unexpected executable files in C:\ root directory (e.g., Program.exe, Program Files.exe)
- Suspicious executables in C:\Program Files (x86)\ with names matching path components (e.g., Popcorn.exe)
- Unusual child processes spawned by the Popcorn Time Update Service
- Event log entries showing unexpected service execution paths
Detection Strategies
- Audit Windows services for unquoted service paths using PowerShell or third-party tools
- Monitor for file creation events in system root directories and Program Files paths
- Implement application whitelisting to prevent unauthorized executables from running
- Use endpoint detection and response (EDR) solutions to identify anomalous process execution
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688)
- Configure file integrity monitoring on sensitive directories
- Establish baseline service configurations and alert on deviations
- Monitor privilege escalation attempts through security information and event management (SIEM) correlation
How to Mitigate CVE-2020-37059
Immediate Actions Required
- Review and remediate the Popcorn Time Update Service path by enclosing it in quotation marks
- Audit all installed services for similar unquoted path vulnerabilities
- Restrict write permissions to system root and Program Files directories
- Consider uninstalling Popcorn Time if not required for business operations
Patch Information
No official patch has been referenced in the available CVE data. Organizations should consider applying manual remediation by modifying the service path configuration in the Windows registry to include proper quotation marks around the executable path. For detailed technical information, refer to the VulnCheck Advisory on Popcorn Time and Exploit-DB #48378.
Workarounds
- Manually edit the service registry key to add quotation marks around the ImagePath value
- Restrict local user write access to directories in the service path
- Implement application control policies to prevent unauthorized executable execution
- Use SentinelOne's Endpoint Protection to detect and block privilege escalation attempts
# Registry remediation example - add quotes to service path
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PopcornTimeUpdateService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Popcorn Time\Update Service\service.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
