CVE-2020-37102 Overview
CVE-2020-37102 is an unquoted service path vulnerability affecting Adaware Web Companion version 4.9.2159. The vulnerability exists in the WCAssistantService component, which improperly handles the service binary path. When the Windows Service Control Manager attempts to start the service, it searches for the executable in a predictable manner that can be exploited by local attackers to execute arbitrary code with elevated privileges.
Critical Impact
Local attackers can exploit the unquoted service path to inject malicious executables that execute with LocalSystem privileges during service startup, potentially leading to complete system compromise.
Affected Products
- Adaware Web Companion 4.9.2159
- WCAssistantService component
- Windows systems running affected Web Companion versions
Discovery Timeline
- 2026-02-03 - CVE CVE-2020-37102 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37102
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element), a well-known Windows privilege escalation technique. The WCAssistantService in Adaware Web Companion registers its service binary path without proper quotation marks. When Windows parses an unquoted path containing spaces, the Service Control Manager follows a specific search order, attempting to execute binaries at each space-delimited segment of the path.
For example, if the service path is configured as C:\Program Files\Adaware\Web Companion\WCAssistant.exe, Windows will attempt to execute in this order: C:\Program.exe, C:\Program Files\Adaware\Web.exe, and so on. An attacker with write access to any of these intermediate directories can place a malicious executable that will be executed with the service's privilege level—in this case, LocalSystem.
Root Cause
The root cause is improper configuration of the Windows service registration. The service binary path lacks quotation marks around the full path string, which is required when the path contains space characters. This configuration oversight allows the Windows Service Control Manager to misinterpret path segments as separate executable paths during service startup resolution.
Attack Vector
The attack requires local access to the target system. An attacker must have sufficient filesystem permissions to write an executable file to one of the intermediate path locations that Windows will check during service startup. When the WCAssistantService starts (either manually, during system boot, or after a restart), the malicious executable will be launched with LocalSystem privileges, granting the attacker complete control over the affected system.
The exploitation technique involves identifying writable locations in the unquoted path, crafting a malicious executable with an appropriate name (such as Program.exe or Web.exe), placing it in the target directory, and triggering a service restart. Technical details and proof-of-concept information can be found in the Exploit-DB #47852 advisory.
Detection Methods for CVE-2020-37102
Indicators of Compromise
- Presence of unexpected executables named Program.exe, Web.exe, or similar in root directories or intermediate paths
- Suspicious process execution originating from the WCAssistantService with unusual child processes
- Unexpected files in C:\ or C:\Program Files\Adaware\ directories that are not part of the legitimate installation
- Evidence of privilege escalation attempts from low-privileged user accounts
Detection Strategies
- Audit Windows services for unquoted service paths using PowerShell commands such as Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in system root directories and program folders for unexpected executables
- Implement application whitelisting to prevent unauthorized executable execution
- Use endpoint detection solutions to alert on anomalous service behavior and unexpected LocalSystem process spawning
Monitoring Recommendations
- Enable Windows Security Event logging for service installation and modification events (Event ID 4697, 7045)
- Configure file integrity monitoring on sensitive directories including C:\, C:\Program Files\, and service installation paths
- Deploy behavioral analysis to detect privilege escalation patterns associated with service exploitation
- Regularly audit installed services for configuration vulnerabilities using vulnerability scanning tools
How to Mitigate CVE-2020-37102
Immediate Actions Required
- Audit the WCAssistantService registry entry and verify the service path configuration
- Update Adaware Web Companion to the latest available version that addresses this vulnerability
- Consider uninstalling Web Companion if it is not essential to operations until a patched version is available
- Restrict write permissions on intermediate path directories to prevent exploitation
Patch Information
Refer to the VulnCheck Advisory on AdAware for the latest patch status and remediation guidance. Users should visit the Web Companion Homepage to check for updated versions of the software that address this vulnerability.
Workarounds
- Manually fix the service path by adding quotation marks around the binary path in the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Services\WCAssistantService\ImagePath
- Restrict filesystem ACLs on directories in the service path to prevent unauthorized users from writing executable files
- Implement application control policies to block execution of unsigned or unauthorized executables in system directories
- Consider disabling the WCAssistantService if the Web Companion functionality is not required
# PowerShell command to identify the vulnerable service path
Get-WmiObject win32_service | Where-Object {$_.Name -eq "WCAssistantService"} | Select-Object Name, PathName
# Registry path to manually remediate the unquoted service path
# HKLM\SYSTEM\CurrentControlSet\Services\WCAssistantService\ImagePath
# Wrap the path value in quotation marks: "C:\Program Files\Adaware\Web Companion\WCAssistant.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
