CVE-2020-36981
Published: 27 January 2026
Summary
CVE-2020-36981 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Filehorse (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2020-36981 is an unquoted service path vulnerability affecting Motorola Device Manager version 2.4.5, specifically in the PST Service associated with ForwardDaemon.exe. This flaw allows local users to potentially execute arbitrary code by exploiting the unquoted path during service startup, leading to code execution with elevated system privileges. The vulnerability is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-428.
Local low-privileged users can exploit this vulnerability with low attack complexity and no user interaction required. By placing a malicious executable in a directory that precedes the legitimate service binary in the system PATH search order, attackers can hijack the service startup process. Successful exploitation enables arbitrary code execution under SYSTEM privileges, potentially granting full control over the affected system.
Advisories, such as the one published by VulnCheck, detail the unquoted service path issue in ForwardDaemon.exe. Proof-of-concept exploits are publicly available on Exploit-DB (e.g., exploits 49011 and 49013), confirming practical exploitability. No specific patches are mentioned in the provided references, but upgrading to a newer version of Motorola Device Manager or disabling the service may mitigate the risk where feasible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30866
Vulnerability details
Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated…
more
system privileges during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in ForwardDaemon.exe directly enables path interception by placing a malicious binary earlier in the search order, leading to SYSTEM-level execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces secure configuration settings for services, such as requiring quoted paths for ForwardDaemon.exe, directly preventing unquoted service path exploitation.
Requires timely identification, reporting, and correction of flaws like the unquoted service path in the PST Service, eliminating the vulnerability.
Restricts system to least functionality by disabling or prohibiting unnecessary vulnerable services like the PST Service, removing the attack vector.