CVE-2020-37048 – CVE-2020-37048 is an unquoted service path vuln... (How to Fix)

📋 TL;DR

CVE-2020-37048 is an unquoted service path vulnerability in Iskysoft Application Framework Service that allows local attackers to execute arbitrary code with SYSTEM privileges. This affects users running version 2.4.3.241 of the software on Windows systems. Attackers need local access to the machine to exploit this vulnerability.

💻 Affected Systems

Products:

Iskysoft Application Framework Service

Versions: 2.4.3.241

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation configuration. The service runs with SYSTEM privileges by default.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over the affected machine, data theft, persistence mechanisms, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to installation of malware, backdoors, or credential harvesting tools on the compromised system.

🟢

If Mitigated

Limited impact if proper endpoint security controls, least privilege principles, and service hardening are implemented.

🌐 Internet-Facing: LOW - This vulnerability requires local access to the system and cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (even with low privileges), they can exploit this to gain SYSTEM privileges and potentially move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB. Attackers need local access and ability to write to a directory in the service path. The exploit is straightforward for attackers with basic Windows knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.iskysoft.us

Restart Required: Yes

Instructions:

1. Uninstall Iskysoft Application Framework Service 2.4.3.241
2. Check if newer versions are available from the vendor
3. If no patch exists, implement workarounds or remove the software

🔧 Temporary Workarounds

Quote Service Path

windows

Modify the service configuration to use quoted paths in the service executable path

sc config "ISAppService" binPath= "\"C:\Program Files\Iskysoft\ISAppService.exe\""

Remove Write Permissions

windows

Remove write permissions for non-administrative users on directories in the service path

icacls "C:\Program Files\Iskysoft" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Remove Iskysoft Application Framework Service if not required
Implement strict endpoint security controls and monitor for suspicious service modifications

🔍 How to Verify

Check if Vulnerable:

Check if ISAppService exists and has an unquoted path: sc qc ISAppService | findstr BINARY_PATH_NAME

Check Version:

Check installed version in Programs and Features or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Verify Fix Applied:

Verify service path is quoted: sc qc ISAppService | findstr BINARY_PATH_NAME should show quoted path

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Service Control Manager events (ID 7045) showing service path modifications
Security logs showing privilege escalation attempts

Network Indicators:

Unusual outbound connections from systems running Iskysoft services
Lateral movement attempts from previously compromised hosts

SIEM Query:

EventID=7045 AND (ServiceName="ISAppService" OR ImagePath="*Iskysoft*")

📊 Metadata

CVE ID: CVE-2020-37048

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: February 1, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-37048, you might also want to check these: