Cyber Resilience

CVE-2020-36928

HighPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-36928 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Brother Bragent. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-36928 is an unquoted service path vulnerability in Brother BRAgent version 1.38. The issue affects the WBA_Agent_Client service, which runs with LocalSystem privileges, due to an unquoted path at C:\Program Files (x86)\Brother\BRAgent\. This configuration flaw, classified under CWE-428, enables attackers to potentially replace legitimate executables with malicious ones during service startup.

A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows injection and execution of arbitrary malicious code with elevated LocalSystem permissions, resulting in high impacts on confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

References include Brother's support page explaining BRAgent functionality, Exploit-DB entries with proof-of-concept exploits (e.g., exploits/50010), and a VulnCheck advisory detailing the WBA_Agent_Client unquoted service path issue. Published on 2026-01-16, these resources highlight the vulnerability but do not specify patches in the provided details.

EU & UK References

Vulnerability details

Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Direct unquoted service path (CWE-428) in WBA_Agent_Client enables path interception by unquoted path for local privilege escalation to LocalSystem.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36929Same vendor: Brother
CVE-2023-54336Shared CWE-428
CVE-2020-37048Shared CWE-428
CVE-2019-25306Shared CWE-428
CVE-2020-36979Shared CWE-428
CVE-2020-37017Shared CWE-428
CVE-2021-47859Shared CWE-428
CVE-2019-25309Shared CWE-428
CVE-2021-47790Shared CWE-428
CVE-2022-50929Shared CWE-428

Affected Assets

brother
bragent
1.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires secure configuration settings for services, including quoted executable paths to directly prevent hijacking via unquoted service path vulnerabilities like CVE-2020-36928.

prevent

Mandates timely flaw remediation to patch or correct the unquoted service path in Brother BRAgent, eliminating the vulnerability.

detect

Enables vulnerability scanning to identify unquoted service path issues such as CVE-2020-36928 for subsequent remediation.

References