CVE-2020-37223 Overview
CVE-2020-37223 is an unquoted service path vulnerability in IObit Uninstaller 9.5.0.15. The flaw resides in the IObitUnSvr service, which registers its executable path without surrounding quotation marks. Local attackers with limited privileges can exploit this misconfiguration to escalate to SYSTEM by placing a malicious binary named IObit.exe in C:\Program Files (x86)\IObit. When the service restarts, Windows resolves the unquoted path and executes the attacker-controlled binary. The weakness is classified as [CWE-428] Unquoted Search Path or Element.
Critical Impact
Local low-privileged users can execute arbitrary code as SYSTEM, achieving full host compromise on machines running the affected IObit Uninstaller version.
Affected Products
- IObit Uninstaller 9.5.0.15
- IObitUnSvr Windows service component
- Default Windows installations at C:\Program Files (x86)\IObit
Discovery Timeline
- 2026-05-13 - CVE-2020-37223 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2020-37223
Vulnerability Analysis
The vulnerability stems from Windows Service Control Manager (SCM) behavior when parsing service binary paths. When a service path contains spaces and is not enclosed in quotation marks, Windows attempts to execute each space-delimited token as a candidate executable. The IObitUnSvr service in IObit Uninstaller 9.5.0.15 registers its ImagePath without quotes, creating multiple candidate execution paths that an attacker can hijack.
The service runs in the LocalSystem security context. Successful exploitation grants the attacker complete control over the host, including the ability to install persistence mechanisms, dump credentials, and disable security controls. Because exploitation only requires write access to a single directory, this becomes a reliable post-compromise privilege escalation primitive.
Root Cause
The root cause is improper handling of file paths containing spaces during service registration [CWE-428]. The installer writes the service ImagePath registry value at HKLM\SYSTEM\CurrentControlSet\Services\IObitUnSvr without wrapping the value in quotes. Windows then evaluates the path tokens sequentially when starting the service.
Attack Vector
An authenticated local attacker with write access to C:\Program Files (x86)\IObit plants a malicious executable named IObit.exe in that directory. When the IObitUnSvr service starts, either on system reboot or via manual restart, the SCM resolves C:\Program Files (x86)\IObit.exe before the intended target executable. The malicious binary executes under the LocalSystem account, completing the privilege escalation chain. Refer to the VulnCheck Advisory for IObit and Exploit-DB #48543 for the published proof of concept.
Detection Methods for CVE-2020-37223
Indicators of Compromise
- Presence of an unexpected IObit.exe binary at C:\Program Files (x86)\IObit.exe (outside the standard IObit subdirectory).
- IObitUnSvr service registry ImagePath value missing surrounding quotation marks.
- Child processes of services.exe running as SYSTEM and spawning from non-standard paths inside the IObit directory tree.
Detection Strategies
- Enumerate Windows services and flag any whose ImagePath contains spaces but no quotation marks, focusing on third-party services running as LocalSystem.
- Monitor file creation events in C:\Program Files (x86)\IObit for executables named IObit.exe written by non-installer processes.
- Correlate service start events (Windows Event ID 7036) for IObitUnSvr with subsequent process creation events to identify hijacked execution paths.
Monitoring Recommendations
- Enable Sysmon Event ID 1 (process creation) and Event ID 11 (file create) on endpoints running IObit products.
- Audit registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\IObitUnSvr to detect tampering or path changes.
- Alert on any process started by services.exe where the parent path resolves outside the vendor-installed binary location.
How to Mitigate CVE-2020-37223
Immediate Actions Required
- Upgrade IObit Uninstaller to a version later than 9.5.0.15 where the service path is correctly quoted.
- Restrict write permissions on C:\Program Files (x86)\IObit so that only administrators can place files in the directory.
- Audit all third-party services on managed hosts for unquoted service paths and remediate them as a class of weakness.
Patch Information
IObit released updated versions of IObit Uninstaller that correctly quote the service ImagePath. Refer to the IObit Advanced Uninstaller Page for the latest installer. Verify the registry value after upgrade to confirm the path is enclosed in quotation marks.
Workarounds
- Manually edit the ImagePath value at HKLM\SYSTEM\CurrentControlSet\Services\IObitUnSvr to wrap the full path in double quotes, then restart the service.
- Set the IObitUnSvr service start type to Disabled on hosts where the uninstaller is not actively used.
- Apply NTFS access control lists that deny write access to C:\Program Files (x86)\IObit for non-administrative users.
# Configuration example: remediate the unquoted ImagePath via PowerShell (run as Administrator)
$svc = 'IObitUnSvr'
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\$svc"
$current = (Get-ItemProperty -Path $key -Name ImagePath).ImagePath
if ($current -notmatch '^"') {
$fixed = '"' + $current.Trim() + '"'
Set-ItemProperty -Path $key -Name ImagePath -Value $fixed
Restart-Service -Name $svc
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
