Skip to content
Threat Feed
high advisory

CVE-2020-37223 - IObit Uninstaller Unquoted Service Path Privilege Escalation

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service, allowing local attackers to escalate privileges to SYSTEM by placing a malicious executable in the service's path.

IObit Uninstaller version 9.5.0.15 is vulnerable to an unquoted service path vulnerability (CVE-2020-37223) affecting the IObitUnSvr service. This flaw enables a local attacker to achieve SYSTEM-level privilege escalation. The vulnerability stems from the lack of proper quoting around the service’s executable path, which allows the operating system to misinterpret the path and execute arbitrary code from attacker-controlled locations. This vulnerability was reported on May 13, 2026, and is considered a high-severity issue due to its potential for complete system compromise. Successful exploitation requires the attacker to have local access to the system.

Attack Chain

  1. Attacker gains local access to the target system.
  2. Attacker identifies the vulnerable service, IObitUnSvr, and its unquoted service path.
  3. Attacker places a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory.
  4. Attacker restarts the IObitUnSvr service. This can be achieved through the Services control panel (services.msc) or via command-line tools like net stop IObitUnSvr followed by net start IObitUnSvr.
  5. Due to the unquoted service path, when the service attempts to start, Windows executes the attacker-controlled IObit.exe with SYSTEM privileges.
  6. The malicious IObit.exe performs actions as the SYSTEM user, granting the attacker elevated control over the system.
  7. Attacker leverages elevated privileges to install malware, modify system configurations, or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability allows a local attacker to escalate their privileges to SYSTEM. This can lead to complete compromise of the affected system, allowing the attacker to install programs, view, change, or delete data, or create new accounts with full administrative rights. There is no specific information about observed damage or targeted sectors included in this report.

Recommendation

  • Apply the Sigma rule Detect IObit Uninstaller Unquoted Service Path Privilege Escalation to detect the creation of a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory.
  • Apply the Sigma rule Detect IObitUnSvr Service Start with Malicious Executable to detect when the IObitUnSvr service starts a malicious executable due to the unquoted service path.
  • Upgrade IObit Uninstaller to a version that addresses CVE-2020-37223.

Detection coverage 2

Detect IObit Uninstaller Unquoted Service Path Privilege Escalation

high

Detects the creation of a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory, indicating a potential privilege escalation attempt via unquoted service path (CVE-2020-37223).

sigma tactics: privilege_escalation techniques: T1574.009 sources: file_event, windows

Detect IObitUnSvr Service Start with Malicious Executable

high

Detects when the IObitUnSvr service starts and executes a malicious executable due to the unquoted service path vulnerability (CVE-2020-37223).

sigma tactics: privilege_escalation techniques: T1574.009 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →