Login Sign Up

CVE-2023-37537

7.8 HIGH

📋 TL;DR

This vulnerability allows a local attacker to gain elevated privileges on Windows systems running HCL AppScan Presence service. Attackers can exploit an unquoted service path to execute arbitrary code with SYSTEM privileges. Only organizations using HCL AppScan on Cloud (ASoC) with the vulnerable Windows service are affected.

💻 Affected Systems

Products:
  • HCL AppScan on Cloud (ASoC)
  • HCL AppScan Presence
Versions: All versions prior to the fix
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows deployments where the service is installed with an unquoted path.

📦 What is this software?

Appscan Presence by Hcltech

View all CVEs affecting Appscan Presence →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete compromise of the Windows host, lateral movement, and persistence.

🟠

Likely Case

Local attacker escalates privileges to install malware, steal credentials, or access sensitive data on the compromised system.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to the specific service account and can be detected quickly.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access to the Windows system. Unquoted service path vulnerabilities are well-understood and relatively easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to HCL advisory for specific patched versions

Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108018

Restart Required: Yes

Instructions:

1. Review HCL advisory KB0108018. 2. Download and apply the latest patch from HCL. 3. Restart the AppScan Presence service. 4. Verify the service path is now properly quoted.

🔧 Temporary Workarounds

Quote Service Path Manually

windows

Manually edit the service path to include quotes around the executable path

sc config "ServiceName" binPath= "\"C:\Path\To\Executable.exe\"" arguments

Restrict Write Permissions

windows

Remove write permissions from directories in the unquoted service path

icacls "C:\Path\To\Directory" /deny Everyone:(OI)(CI)W

🧯 If You Can't Patch

  • Apply workaround to quote the service path manually
  • Implement strict access controls and monitoring on affected systems

🔍 How to Verify

Check if Vulnerable:

Check if AppScan Presence service path is unquoted: sc qc "AppScan Presence" | findstr BINARY_PATH_NAME

Check Version:

Check installed version through HCL AppScan interface or Windows Programs and Features

Verify Fix Applied:

Verify service path now has quotes: sc qc "AppScan Presence" | findstr BINARY_PATH_NAME

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service restarts
  • Unauthorized file creation in service directories
  • Privilege escalation events

Network Indicators:

  • Unusual outbound connections from service account

SIEM Query:

EventID=4688 AND NewProcessName contains spaces AND ParentProcessName contains services.exe

📊 Metadata

CVE ID: CVE-2023-37537
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-428
Published: October 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37537, you might also want to check these:

CVE-2022-50935 9.8

CVE-2022-50935 is an unquoted service path vulnerability in the Flame II HSPA USB Modem software for...

Same vulnerability type (CWE-428)
CVE-2024-24722 9.1

An unquoted service path vulnerability in 12d Synergy Server and File Replication Server allows atta...

Same vulnerability type (CWE-428)
CVE-2025-36384 8.4

This vulnerability allows a local user with filesystem access to escalate privileges on IBM Db2 for ...

Same vulnerability type (CWE-428)