CVE-2020-37232 Overview
CVE-2020-37232 is an unquoted service path vulnerability [CWE-428] in IObit Advanced System Care Service version 13.0.0.157. The AdvancedSystemCareService13 Windows service registers its binary path without surrounding quotation marks. A local attacker with low-privilege access can place a malicious executable along the unquoted path. Windows will execute that binary with LocalSystem privileges at service startup or system reboot. The flaw enables full local privilege escalation on affected hosts.
Critical Impact
Local attackers can escalate to LocalSystem privileges by dropping a crafted executable into a writable directory along the unquoted service path, gaining complete control over the host.
Affected Products
- IObit Advanced System Care Service 13.0.0.157
- Advanced System Care Pro installations bundling the vulnerable service
- Windows hosts running the AdvancedSystemCareService13 service with default installation paths
Discovery Timeline
- 2026-05-16 - CVE-2020-37232 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37232
Vulnerability Analysis
The vulnerability resides in how the AdvancedSystemCareService13 Windows service is registered. The ImagePath registry value for the service contains spaces but is not wrapped in quotation marks. When Windows parses an unquoted service path containing spaces, it attempts to execute each space-delimited token as a candidate executable. The Service Control Manager (SCM) launches whichever candidate it finds first. Because the service runs as LocalSystem, any executable substituted along this path inherits the highest privilege level on the system. This is a well-known Windows misconfiguration class tracked under [CWE-428: Unquoted Search Path or Element].
Root Cause
The installer registers the service binary path without surrounding double quotes. Windows treats spaces in the path as argument separators, producing multiple candidate executables such as C:\Program.exe or C:\Program Files\IObit\Advanced.exe. If any candidate directory is writable by non-privileged users, an attacker can plant an executable there. Default ACLs on C:\ typically deny standard user writes, but misconfigured systems, custom installation roots, or weakened directory permissions expose the issue.
Attack Vector
Exploitation requires local access with the ability to write to a directory along the unquoted path. The attacker drops a payload such as Program.exe into a writable root directory. On the next service start or system reboot, the SCM executes the payload as LocalSystem. The attacker then has full administrative control, including the ability to install persistence, disable security tooling, and access protected files. A public proof of concept is referenced in Exploit-DB #49049 and the VulnCheck Advisory on Privilege Escalation.
No verified exploit code is reproduced here. See the referenced advisories for technical details.
Detection Methods for CVE-2020-37232
Indicators of Compromise
- Presence of unexpected executables in root directories such as C:\Program.exe or under writable folders along the service path
- Service AdvancedSystemCareService13 launching a binary outside the expected IObit installation directory
- New LocalSystem processes spawning from non-standard paths immediately after service start or reboot
Detection Strategies
- Audit the registry value HKLM\SYSTEM\CurrentControlSet\Services\AdvancedSystemCareService13\ImagePath for missing surrounding quotes
- Enumerate Windows services with wmic service get name,pathname,startmode and flag paths containing spaces without quotes
- Monitor process creation events (Windows Event ID 4688, Sysmon Event ID 1) where the parent is services.exe and the image path resolves to an unexpected location
Monitoring Recommendations
- Alert on file creation events for executables placed in root directories like C:\ or other path tokens preceding the legitimate service binary
- Track service configuration changes and ACL modifications on directories along the service path
- Correlate process integrity level escalations following file writes by low-privilege users
How to Mitigate CVE-2020-37232
Immediate Actions Required
- Inventory all hosts running IObit Advanced System Care 13.0.0.157 and identify the AdvancedSystemCareService13 service
- Manually quote the ImagePath registry value for the affected service until a vendor patch is applied
- Restrict write permissions on root directories and any folder along the unquoted service path to administrators only
Patch Information
No vendor patch is referenced in the available advisory data. Consult the IObit Official Website and the IObit Advanced System Care Pro product page for the latest version, and upgrade to a release where the service path is properly quoted.
Workarounds
- Edit the service ImagePath using sc config AdvancedSystemCareService13 binPath= "\"C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe\"" to enforce quoting
- Remove or uninstall Advanced System Care on systems where it is not required
- Apply strict NTFS ACLs to C:\ and any custom installation root to prevent non-administrative users from writing executables
# Configuration example: re-register the service with a quoted binary path
sc config AdvancedSystemCareService13 binPath= "\"C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe\""
sc qc AdvancedSystemCareService13
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
