Cyber Resilience

CVE-2020-37129

HighPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37129 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Memuplay (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-34 (Non-modifiable Executable Programs).

Deeper analysis

CVE-2020-37129 is an insecure folder permissions vulnerability (CWE-276) affecting Memu Play version 7.1.3, a Windows-based Android emulator. The flaw enables low-privileged users to modify the MemuService.exe executable due to unrestricted file modification permissions in its folder. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity and potential for remote exploitation without authentication or user interaction.

Low-privileged users with local access to the system can exploit this vulnerability by replacing the legitimate MemuService.exe with a malicious executable. Upon system restart, the tampered service runs with SYSTEM-level privileges, allowing attackers to achieve full compromise of the host machine, including unauthorized access to sensitive data, execution of arbitrary code, and persistence mechanisms.

Advisories and related resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/memu-play-insecure-folder-permissions, the vendor site at https://www.memuplay.com/, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/48283, provide further details on the issue. Practitioners should consult these for recommended mitigations, such as updating to a patched version of Memu Play or applying restrictive folder permissions to prevent unauthorized modifications.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification…

more

permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
Why these techniques?

Insecure folder permissions on MemuService.exe directly match Services File Permissions Weakness (T1574.010), enabling binary replacement for SYSTEM-level execution via the Windows service (T1543.003) and resulting in privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10314Shared CWE-276
CVE-2025-57625Shared CWE-276
CVE-2021-47761Shared CWE-276
CVE-2025-24170Shared CWE-276
CVE-2026-25203Shared CWE-276
CVE-2025-24195Shared CWE-276
CVE-2024-55930Shared CWE-276
CVE-2025-24267Shared CWE-276
CVE-2024-49744Shared CWE-276
CVE-2024-53840Shared CWE-276

Affected Assets

Memuplay
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations on files and folders, preventing low-privileged users from modifying the MemuService.exe executable.

prevent

Prevents unauthorized modification of critical executable programs like MemuService.exe that run with SYSTEM privileges.

prevent

Remediates the insecure folder permissions flaw by applying vendor patches or fixes to eliminate the vulnerability.

References