CVE-2020-37129 in Memu Play
Summary
by MITRE • 02/05/2026
Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability identified as CVE-2020-37129 affects Memu Play version 7.1.3 and represents a critical insecure folder permissions flaw that fundamentally undermines the security model of the application. This weakness stems from improper access control mechanisms within the software installation directory structure, where the MemuService.exe executable is deployed with insufficient permission controls that allow any local user to modify or replace the core service binary. The vulnerability exists due to the lack of proper discretionary access control lists and security descriptor configurations that should normally restrict write access to system-critical executables. According to CWE-276, this represents a classic case of insecure default permissions, where the software fails to implement proper least privilege access controls for critical system components. The flaw creates a persistent backdoor that persists across system restarts, making it particularly dangerous as it can be exploited repeatedly without requiring additional attack vectors.
The technical exploitation of this vulnerability follows a straightforward but effective attack pattern that leverages the principle of least privilege violation. Low-privileged users can directly modify the MemuService.exe file because the installation directory lacks proper security permissions that would normally prevent such modifications. During a system restart, the replaced executable runs with SYSTEM privileges, effectively elevating the attacker's privileges to the highest level available on the system. This type of attack aligns with ATT&CK technique T1068, which describes the use of local privilege escalation through service binary replacement. The vulnerability exploits the fact that Windows service executables require elevated privileges to function correctly, and when these binaries are replaced with malicious payloads, the system automatically executes the attacker-controlled code with administrative rights. The attack chain demonstrates how improper file system permissions can create a direct path to system compromise.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it provides attackers with complete control over the affected system. Once an attacker successfully replaces the MemuService.exe file, they can execute arbitrary code with SYSTEM privileges, enabling them to perform actions such as installing additional malware, modifying system files, accessing sensitive data, or establishing persistent access through rootkits or backdoors. The vulnerability affects any system running Memu Play 7.1.3 where local users have the ability to modify files in the application installation directory. This creates a significant risk for enterprise environments where multiple users share systems, as a single compromised low-privileged account could provide attackers with complete system control. The persistence aspect of this vulnerability means that even if the system is rebooted, the malicious code will continue to execute with elevated privileges, making detection and remediation more challenging. Organizations should consider this vulnerability in their risk assessments as it represents a direct pathway to complete system compromise through simple file modification attacks.
Mitigation strategies for CVE-2020-37129 should focus on implementing proper access control measures and system hardening practices. The primary recommendation involves restricting write permissions to the Memu Play installation directory, ensuring that only administrators can modify the service executable and related files. System administrators should implement proper discretionary access control lists that prevent local users from modifying critical service binaries. Additionally, organizations should consider implementing application whitelisting policies that restrict execution of unauthorized binaries, and deploy endpoint protection solutions that monitor for suspicious file modification activities. The vulnerability highlights the importance of proper software installation security configurations, where applications should not be installed with overly permissive permissions that allow arbitrary file modifications. Regular security audits should verify that critical system executables maintain appropriate permission settings, and automated monitoring systems should be implemented to detect unauthorized changes to service binaries. Organizations should also consider upgrading to newer versions of Memu Play where this vulnerability has been addressed through proper permission controls and secure installation practices, as the vendor should have implemented proper access control mechanisms to prevent such privilege escalation scenarios.