CVE-2020-37047 in Deep Instinct Windows Agent
Summary
by MITRE • 02/01/2026
Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe to inject malicious code that would execute with LocalSystem permissions during service startup.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2020-37047 resides within the Deep Instinct Windows Agent version 1.2.29.0, specifically affecting the DeepMgmtService component that operates under the LocalSystem account privileges. This represents a critical security flaw that stems from improper service path configuration where the executable path lacks proper quotation marks around the file path. The service attempts to execute C:\Program Files\HP Sure Sense\DeepMgmtService.exe without enclosing the path in quotation marks, creating a exploitable condition that violates fundamental security practices for Windows service configurations. The absence of proper path quoting allows attackers to manipulate the execution flow by placing malicious executables in directories that precede the intended service location in the Windows search path.
This vulnerability operates under the principle of path traversal and privilege escalation through service misconfiguration, aligning with CWE-428 which addresses weaknesses in the use of unquoted service paths. The attack vector exploits the Windows service startup mechanism where the operating system searches for executables in the PATH environment variable in order. When a service path is unquoted, Windows will first search for an executable named "Program" in the root directory, then continue searching through subsequent directories in the path. This behavior creates opportunities for attackers to place malicious executables in high-privilege directories like C:\Program Files\HP Sure Sense\ where the service will execute them with elevated permissions. The attack scenario enables local users to gain SYSTEM-level privileges through code injection, representing a significant escalation from user-level access to privileged execution.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides a persistent backdoor mechanism for attackers who can leverage this condition to establish long-term access to compromised systems. The service runs with LocalSystem permissions, meaning any code executed through this vector will operate with the highest possible privileges available to Windows services. This condition creates a persistent threat that can survive system reboots and service restarts, as the malicious code injection occurs during the service startup process. The vulnerability is particularly concerning because it allows attackers to execute code with minimal user interaction requirements, requiring only local access to the system to exploit the flaw. The attack can be executed through various methods including directory junctions, symbolic links, or direct file placement in strategic locations within the Windows file system hierarchy.
Mitigation strategies for CVE-2020-37047 should focus on immediate service path remediation through proper quotation of executable paths, which aligns with the ATT&CK technique T1068 for local privilege escalation. Organizations should implement comprehensive patch management procedures to ensure all Deep Instinct agents are updated to versions that properly quote service paths. System administrators must conduct thorough audits of service configurations to identify other unquoted paths that may present similar vulnerabilities, as this represents a common pattern in Windows service misconfigurations. The implementation of application whitelisting policies can further protect against exploitation by preventing unauthorized executables from running in critical system directories. Additionally, monitoring for suspicious service startup activities and implementing proper file system permissions can help detect and prevent exploitation attempts. Regular security assessments should include checks for unquoted service paths as part of broader vulnerability management programs, ensuring that service configurations follow security best practices and minimize potential attack surface areas.