CVE-2020-36916

HighPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36916 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibmcloud (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match

prevent

Directly prevents modification of executable program files, blocking attackers from replacing legitimate executables with malicious binaries.

AC-6 Least Privilege good match

prevent

Enforces least privilege to eliminate excessive modify permissions for low-privileged authenticated users on executable files.

AC-3 Access Enforcement good match

prevent

Enforces access control policies that restrict unauthorized logical access and modifications to critical system resources like executables.

NVD Description

TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and gain elevated system…

access.

Deeper analysisAI

TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability, classified under CWE-732, that stems from excessive permissions allowing authenticated users to modify executable files. This flaw enables attackers to replace legitimate executables with malicious binaries, leading to unauthorized elevated access on the affected system. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

An authenticated user with low privileges can exploit this vulnerability remotely without requiring user interaction. By leveraging the 'Modify' permissions, the attacker replaces executable files with custom malicious versions, achieving full system-level access and potentially compromising the entire host environment running the PC Player software.

References for further details include advisories from IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/190627), an exploit on Exploit-DB (https://www.exploit-db.com/exploits/48953) and Packet Storm (https://packetstorm.news/files/id/159723), as well as product pages from Sony (https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y) and TDM Signage (https://www.tdmsignage.com). No specific patch or mitigation details are outlined in the provided information.