CVE-2020-36982
Published: 27 January 2026
Summary
CVE-2020-36982 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Programas Gratis (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2020-36982 is an unquoted service path vulnerability in Motorola Device Manager version 2.5.4, specifically affecting the MotoHelperService.exe service. The flaw stems from an unquoted path in the service configuration, which allows local users to potentially inject malicious code and execute arbitrary code with elevated system privileges during service startup. It is classified under CWE-428 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by placing a malicious executable in a directory that precedes the legitimate service path in the system's search order. Upon service startup, the system executes the attacker's code instead, granting SYSTEM-level privileges. This enables high-impact compromise of confidentiality, integrity, and availability without requiring user interaction or complex conditions.
Advisories and references include a proof-of-concept exploit documented on Exploit-DB (exploit 49012), a Vulncheck advisory on the unquoted service path in MotoHelperService.exe, and a Motorola Device Manager-related page. No specific patch or mitigation details are outlined in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30867
Vulnerability details
Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system…
more
privileges during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path in MotoHelperService.exe directly enables path interception for malicious executable execution (T1574.009) leading to SYSTEM privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
CM-6 requires secure configuration settings for system components, directly addressing the unquoted service path in MotoHelperService.exe to prevent execution of malicious code.
SI-2 mandates identification and correction of flaws like CVE-2020-36982, ensuring timely remediation of the unquoted service path vulnerability.
CM-10 enforces software usage restrictions via deny-all permit-by-exception policies, preventing execution of the malicious executable placed by attackers exploiting the unquoted path.