CVE-2020-37102
Published: 03 February 2026
Summary
CVE-2020-37102 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Webcompanion (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37102 is an unquoted service path vulnerability in the WCAssistantService component of Adaware Web Companion version 4.9.2159. This issue, mapped to CWE-428, enables local attackers to potentially execute arbitrary code by exploiting the unquoted binary path in the service configuration. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-03.
Local attackers with low privileges can exploit this vulnerability by placing a malicious executable in a directory that precedes the legitimate service binary in the system's search path. When the WCAssistantService starts, the system executes the attacker's binary instead, running it with LocalSystem privileges and potentially achieving high impacts on confidentiality, integrity, and availability.
Advisories, including one from VulnCheck at https://www.vulncheck.com/advisories/adaware-web-companion-wcassistantservice-unquoted-service-path, describe the unquoted path flaw in detail. A proof-of-concept exploit is publicly available on Exploit-DB at https://www.exploit-db.com/exploits/47852. Vendor pages at http://webcompanion.com/ and related links provide additional context but do not specify patches in the referenced materials.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30974
Vulnerability details
Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges…
more
during service startup.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unquoted service path (CWE-428) in WCAssistantService directly enables path interception by placing a malicious binary earlier in the search path, executed with LocalSystem privileges on service start.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Establishes and enforces secure configuration settings for services, requiring quoted executable paths to directly prevent exploitation of unquoted service paths like in WCAssistantService.
Mandates timely identification, reporting, and remediation of flaws such as the unquoted service path vulnerability in Adaware Web Companion.
Enforces least privilege for high-privilege services like WCAssistantService running as LocalSystem, reducing the impact of arbitrary code execution via exploited unquoted paths.