CVE-2020-36975
Published: 27 January 2026
Summary
CVE-2020-36975 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Epson (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2020-36975 is an unquoted service path vulnerability affecting EPSON Status Monitor 3 version 8.0. The flaw resides in the service binary path 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE', classified under CWE-428. It enables local attackers to potentially execute arbitrary code by exploiting the unquoted path, leading to privilege escalation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Local low-privileged attackers can exploit this issue with low complexity and no user interaction required. By injecting malicious executables into a directory exploited by the unquoted path traversal, such as locations between "Program Files" and the subsequent path elements, attackers can achieve arbitrary code execution upon service startup or restart, resulting in high-impact confidentiality, integrity, and availability violations through privilege escalation.
Advisories from Vulncheck detail the unquoted service path in EpsonPMRPCV, while an exploit is publicly available on Exploit-DB (ID 49141). Epson's website provides additional references, though specific patch details are not outlined in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30874
Vulnerability details
EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious…
more
executables and escalate privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) directly enables T1574.009 Path Interception by Unquoted Path for arbitrary code execution; resulting local privilege escalation maps to T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the specific unquoted service path flaw in EPSON Status Monitor 3, preventing arbitrary code execution and privilege escalation.
Mandates establishment and implementation of secure configuration settings for Windows services, including enclosing unquoted paths with spaces in quotes within the registry ImagePath value.
Provides for regular vulnerability scanning that identifies unquoted service path issues like CVE-2020-36975 in service binaries for prioritized remediation.