Kite — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/kite/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 16 May 2026 16:19:44 +0000Kite Unquoted Service Path Vulnerability (CVE-2020-37247)https://feed.craftedsignal.io/briefs/2026-05-cve-2020-37247/Sat, 16 May 2026 16:19:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2020-37247/Kite 4.2.0.1 U1 contains an unquoted service path vulnerability (CVE-2020-37247) in the KiteService Windows service that allows local attackers to escalate privileges by placing a malicious executable in a directory due to the unquoted service path.Kite 4.2.0.1 U1 suffers from an unquoted service path vulnerability within its KiteService Windows service. This weakness allows a local attacker with low privileges to escalate their privileges to LocalSystem. By exploiting the unquoted service path, an attacker can insert a malicious executable into a directory that is part of the service’s execution path. When the KiteService service starts, it will inadvertently execute the attacker-controlled binary with elevated privileges, granting the attacker full control over the system. This vulnerability has been assigned CVE-2020-37247.

Attack Chain

  1. Attacker gains low-privilege access to the target Windows system.
  2. Attacker identifies the vulnerable KiteService service with an unquoted path.
  3. Attacker analyzes the service path to identify directories where they can write files.
  4. Attacker crafts a malicious executable, named to match an expected part of the unquoted path (e.g., “Program.exe” if the path is “C:\Program Files\Kite\Program Files\KiteService.exe”).
  5. Attacker places the malicious executable in a directory within the service’s path (e.g., C:\Program Files\Kite).
  6. Attacker triggers a restart of the KiteService service (e.g., by rebooting the machine or stopping/starting the service).
  7. Windows attempts to execute the KiteService service. Due to the unquoted path, it first executes the attacker’s malicious executable with LocalSystem privileges.
  8. The attacker’s executable performs privileged actions, effectively escalating the attacker’s privileges.

Impact

Successful exploitation of this unquoted service path vulnerability allows a local attacker to escalate their privileges to LocalSystem. This grants the attacker complete control over the compromised system, allowing them to install software, modify data, and create new accounts with full administrative rights. The CVE has a CVSS v3.1 score of 7.8, indicating a high severity.

Recommendation

  • Deploy the Sigma rule Detect Unquoted Service Path Exploitation to your SIEM and tune for your environment to identify potential exploitation attempts.
  • Apply the official patch from Kite (if available) to remediate the unquoted service path vulnerability described in CVE-2020-37247.
  • Monitor process creation events for the execution of unexpected executables from directories within the unquoted service path, as described in the attack chain.
  • Implement application control policies to restrict the execution of unauthorized executables within directories commonly affected by unquoted service path vulnerabilities (e.g., C:\Program Files, C:\Program Files (x86)).
  • Use the Get-Service PowerShell cmdlet to identify services with unquoted paths in your environment.
]]>highthreatprivilege-escalationunquoted service pathcve-2020-37247windows