CVE-2020-37064
📋 TL;DR
CVE-2020-37064 is an unquoted service path vulnerability in EPSON EasyMP Network Projection software that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects Windows systems where the vulnerable software is installed. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- EPSON EasyMP Network Projection
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with LocalSystem privileges, allowing complete control over the affected system.
Likely Case
Local privilege escalation leading to persistence, lateral movement, or data exfiltration by authenticated attackers.
If Mitigated
Limited impact if proper access controls prevent local users from writing to the service path directory.
🎯 Exploit Status
Exploit requires local access to the system and ability to write to the service path directory. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.86
Vendor Advisory: https://epson.com/support/easymp-network-projection-v2-86-for-windows
Restart Required: Yes
Instructions:
1. Download EasyMP Network Projection V2.86 from EPSON support site. 2. Uninstall previous version. 3. Install version 2.86. 4. Restart the system.
🔧 Temporary Workarounds
Restrict directory permissions
windowsRemove write permissions for non-administrative users on the vulnerable service path directory
icacls "C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2" /deny Users:(OI)(CI)W
Modify service path
windowsChange the service binary path to include quotes around the full path
sc config EMP_NSWLSV binPath= "\"C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe\""
🧯 If You Can't Patch
- Apply strict access controls to prevent local users from writing to the service path directory
- Monitor for suspicious file creation in the vulnerable directory and service execution anomalies
🔍 How to Verify
Check if Vulnerable:
Check if EMP_NSWLSV service path is unquoted: sc qc EMP_NSWLSV | findstr BINARY_PATH_NAMECheck Version:
Check installed version in Control Panel > Programs and Features or via registry: reg query "HKLM\SOFTWARE\WOW6432Node\EPSON\EasyMP Network Projection" /v VersionVerify Fix Applied:
Verify service path has quotes: sc qc EMP_NSWLSV | findstr BINARY_PATH_NAME should show quoted path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service start/stop events for EMP_NSWLSV
- Security logs showing file creation in vulnerable directory
Network Indicators:
- Unusual outbound connections from systems running EasyMP Network Projection
SIEM Query:
EventID=7045 AND ServiceName="EMP_NSWLSV" OR ProcessCreation WHERE ImagePath contains "EMP_NSWLSV" AND NOT ImagePath contains '"'