CVE-2020-37129 Overview
CVE-2020-37129 is an insecure folder permissions vulnerability affecting Memu Play 7.1.3, a popular Android emulator for Windows. The vulnerability allows low-privileged local users to modify the MemuService.exe executable due to improper access control on the installation directory. By replacing the service executable with a malicious file, attackers can achieve SYSTEM-level privileges when the system restarts and the service is executed.
Critical Impact
Local privilege escalation to SYSTEM allows complete compromise of the affected Windows host, enabling attackers to install malware, exfiltrate data, or pivot to other systems on the network.
Affected Products
- Memu Play version 7.1.3
- Potentially earlier versions of Memu Play with similar folder permission configurations
- Windows systems running the affected Memu Play version as a service
Discovery Timeline
- 2026-02-05 - CVE-2020-37129 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2020-37129
Vulnerability Analysis
This vulnerability stems from CWE-276 (Incorrect Default Permissions), where the Memu Play installation directory and its contents are configured with overly permissive access controls. Specifically, the MemuService.exe file can be modified by low-privileged users on the system. Since this executable runs as a Windows service with SYSTEM privileges, any user who can write to this file can effectively gain complete control over the system.
The attack requires local access to the target system, making it particularly dangerous in multi-user environments, shared workstations, or systems where attackers have already gained initial access through other means. The vulnerability enables vertical privilege escalation from a low-privileged user account to SYSTEM-level access.
Root Cause
The root cause is improper file system permissions set during Memu Play installation. The installer fails to restrict write access to critical service executables, allowing any authenticated local user to modify MemuService.exe. This misconfiguration violates the principle of least privilege, as service executables should only be writable by administrators.
Attack Vector
The attack follows a classic service binary hijacking pattern:
- An attacker with low-privileged access identifies the vulnerable MemuService.exe file with weak permissions
- The attacker replaces the legitimate service executable with a malicious payload (such as a reverse shell or persistence mechanism)
- When the system restarts or the service is restarted, Windows executes the malicious binary with SYSTEM privileges
- The attacker gains complete control of the system with the highest privilege level
This is a local attack vector requiring prior access to the system, but it does not require any user interaction beyond the initial system restart. Technical details and proof-of-concept information are available through the Exploit-DB #48283 advisory.
Detection Methods for CVE-2020-37129
Indicators of Compromise
- Unexpected modifications to MemuService.exe file hash or timestamp
- Changes to file permissions on the Memu Play installation directory
- Unusual processes spawning from MemuService.exe or its parent service
- New user accounts or suspicious scheduled tasks created after service restart
Detection Strategies
- Monitor file integrity of MemuService.exe using hash-based verification tools
- Implement Windows Security Event logging for file modifications (Event ID 4663) on the Memu Play installation directory
- Deploy endpoint detection rules for service binary replacement patterns
- Use SentinelOne's behavioral AI to detect privilege escalation attempts via service hijacking
Monitoring Recommendations
- Enable auditing on the Memu Play installation folder to track write operations
- Configure alerts for changes to Windows service configurations
- Monitor process creation events for services starting unusual child processes
- Review Windows Security logs for privilege escalation indicators
How to Mitigate CVE-2020-37129
Immediate Actions Required
- Verify and correct file permissions on the Memu Play installation directory immediately
- Restrict write access to MemuService.exe to Administrators only
- Consider temporarily disabling the Memu service until proper permissions are applied
- Audit systems for signs of prior exploitation
Patch Information
Users should update to the latest version of Memu Play available from the official website. Additionally, organizations should verify that newer versions have corrected the folder permission issue. Consult the VulnCheck Advisory for the latest remediation guidance.
Workarounds
- Manually restrict NTFS permissions on the Memu Play installation directory to prevent non-administrative writes
- Remove write permissions for the Users and Authenticated Users groups on service executables
- Consider running Memu Play with a non-service configuration if possible
- Implement application whitelisting to prevent unauthorized executable modifications
# Windows command to restrict permissions on MemuService.exe
icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe" /inheritance:r /grant:r Administrators:F /grant:r SYSTEM:F
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
