CVE-2020-37055
📋 TL;DR
CVE-2020-37055 is an unquoted service path vulnerability in SpyHunter 4 that allows local attackers to execute arbitrary code with SYSTEM privileges. This occurs because the service path contains spaces and isn't properly quoted, enabling attackers to place malicious executables in predictable locations. Only users running SpyHunter 4 on Windows systems are affected.
💻 Affected Systems
- SpyHunter 4
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation leading to administrative control of the affected system, potentially enabling further attacks within the network.
If Mitigated
Limited impact with proper endpoint protection, least privilege principles, and monitoring for suspicious service behavior.
🎯 Exploit Status
Exploit requires local access and knowledge of the unquoted service path. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Updated version from vendor
Vendor Advisory: https://www.enigmasoftware.com
Restart Required: Yes
Instructions:
1. Update SpyHunter 4 to the latest version from the official vendor website. 2. Restart the system to ensure the updated service is running. 3. Verify the service path is properly quoted in Windows Services.
🔧 Temporary Workarounds
Manually Quote Service Path
windowsManually edit the service path in Windows Services to include quotes around the executable path
sc config "SpyHunter 4 Service" binPath="\"C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4Service.exe\""
Restrict File System Permissions
windowsSet restrictive permissions on directories in the service path to prevent unauthorized file creation
icacls "C:\Program Files\Enigma Software Group" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove SpyHunter 4 from affected systems if not essential
- Implement strict file system permissions and monitor for unauthorized executable creation in service path directories
🔍 How to Verify
Check if Vulnerable:
Check if SpyHunter 4 service path is unquoted: sc qc "SpyHunter 4 Service" | findstr BINARY_PATH_NAMECheck Version:
Check SpyHunter version in program interface or installation directoryVerify Fix Applied:
Verify service path is quoted: sc qc "SpyHunter 4 Service" | findstr BINARY_PATH_NAME should show path in quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events for SpyHunter service modifications
- Security logs: Unauthorized file creation in SpyHunter installation directories
Network Indicators:
- Unusual outbound connections from SYSTEM context after service restart
SIEM Query:
EventID=7045 OR EventID=4697 AND ServiceName="SpyHunter 4 Service" AND (ImagePath NOT CONTAINS '"')