CVE-2020-37064 Overview
EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. This local privilege escalation vulnerability exists because the service executable path contains spaces and is not properly enclosed in quotation marks, enabling attackers to place malicious executables in locations that Windows will execute with elevated privileges.
Critical Impact
Attackers with local access can exploit the unquoted service path to execute arbitrary code with LocalSystem privileges, achieving complete system compromise.
Affected Products
- EPSON EasyMP Network Projection 2.81
- EPSON EasyMP Network Projection versions prior to 2.86
- Windows systems running the EMP_NSWLSV service
Discovery Timeline
- 2026-02-01 - CVE CVE-2020-37064 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37064
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). The EMP_NSWLSV service in EPSON EasyMP Network Projection uses an unquoted path that contains spaces: C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\. When Windows attempts to start this service, it parses the path and may execute an attacker-placed executable before reaching the intended service binary.
The vulnerability requires local access to exploit, but the impact is significant as successful exploitation grants LocalSystem privileges—the highest privilege level on Windows systems. This allows complete control over the affected machine, including the ability to install programs, view or modify data, and create new accounts with full user rights.
Root Cause
The root cause of this vulnerability is improper quoting of the service executable path during installation. When a Windows service path contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager interprets the path ambiguously. For the path C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe, Windows will attempt to locate and execute files in this order:
- C:\Program.exe
- C:\Program Files.exe
- C:\Program Files (x86)\EPSON.exe
- C:\Program Files (x86)\EPSON Projector\EasyMP.exe
If any of these files exist and the attacker has placed a malicious executable there, it will be executed with the service's privileges.
Attack Vector
Exploitation requires local access to the target system with write permissions to one of the potential executable locations in the search path. The attack vector involves:
- Identifying the vulnerable unquoted service path
- Placing a malicious executable (e.g., Program.exe or EasyMP.exe) in an accessible directory within the path
- Triggering the service to restart (either by waiting for system reboot or forcing a service restart if permissions allow)
- The malicious code executes with LocalSystem privileges when the service starts
The exploitation of this vulnerability is relatively straightforward for attackers with local system access. Detailed technical information is available in the Exploit-DB entry #48069 and the VulnCheck advisory.
Detection Methods for CVE-2020-37064
Indicators of Compromise
- Unexpected executable files named Program.exe, EPSON.exe, or EasyMP.exe in C:\, C:\Program Files (x86)\, or C:\Program Files (x86)\EPSON Projector\ directories
- Unusual processes running with SYSTEM privileges originating from non-standard paths
- Service failure events followed by suspicious process execution in Windows Event Logs
- New or modified files in directory paths associated with the EMP_NSWLSV service
Detection Strategies
- Query all Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -like '* *' -and $_.PathName -notlike '"*'}
- Monitor file creation events in root directories and program file folders for executable files with suspicious names
- Implement file integrity monitoring on directories within the vulnerable service path
- Use endpoint detection rules to alert on SYSTEM-level process creation from unexpected locations
Monitoring Recommendations
- Enable Windows Security Event logging for service starts (Event ID 7045) and process creation (Event ID 4688)
- Deploy SentinelOne's behavioral AI to detect privilege escalation attempts and anomalous service behavior
- Monitor for changes to the EMP_NSWLSV service configuration in the Windows Registry
- Implement application whitelisting to prevent unauthorized executables from running in sensitive paths
How to Mitigate CVE-2020-37064
Immediate Actions Required
- Audit systems for the presence of EPSON EasyMP Network Projection version 2.81 and earlier
- Check for suspicious executables in directories along the unquoted service path
- Manually correct the service path by adding quotation marks around the full executable path
- Update to EPSON EasyMP Network Projection version 2.86 or later
Patch Information
EPSON has released an updated version of EasyMP Network Projection that addresses this vulnerability. Users should upgrade to version 2.86 or later, which is available from the Epson Network Projection Support page. The updated version properly quotes the service path, preventing exploitation of this vulnerability.
Workarounds
- Manually fix the unquoted service path by modifying the ImagePath registry value to include quotation marks
- Restrict write permissions on directories within the service path to prevent unauthorized executable placement
- Remove the EPSON EasyMP Network Projection software if it is not essential for business operations
- Implement application control policies to prevent unauthorized executables from running
# Configuration example - Fix unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\EMP_NSWLSV" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
