CVE-2023-36658 in MetaDefender KIOSK
Summary
by MITRE • 09/15/2023
An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. It has an unquoted service path that can be abused locally.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2023-36658 affects OPSWAT MetaDefender KIOSK version 4.6.1.9996 and represents a critical security flaw related to service path configuration. This issue arises from an unquoted service path that creates an exploitable condition within the system's service management framework. The vulnerability specifically impacts the local security posture of systems running this particular version of the MetaDefender KIOSK software, which is designed for secure file scanning and endpoint protection in kiosk environments.
The technical flaw manifests when a service is installed without proper quotation of the executable path in the Windows service configuration. This condition allows for path traversal attacks where malicious actors can place executable files in directories that fall within the service's search path. The unquoted service path creates a window of opportunity for privilege escalation attacks, as the system will execute the first executable found in the search path rather than the intended service binary. This behavior aligns with common Windows service security vulnerabilities and is categorized under CWE-428, which addresses the improper handling of unquoted service paths in Windows environments.
The operational impact of this vulnerability is significant for organizations deploying MetaDefender KIOSK in production environments, particularly those with limited security controls or restricted administrative access. Local attackers who have access to the system can exploit this weakness to elevate their privileges and potentially gain unauthorized access to sensitive system resources. The vulnerability can be exploited to install malicious software, modify system configurations, or establish persistent access points within the affected environment. This poses particular risk in kiosk deployments where systems may be less frequently monitored and updated, creating extended windows of exposure.
Organizations should implement immediate mitigations including applying the latest patches provided by OPSWAT, properly quoting service paths during installation, and conducting comprehensive security audits of all installed services. The remediation process involves verifying that all service executable paths are enclosed in quotation marks to prevent path traversal exploitation. Security professionals should also consider implementing additional controls such as service hardening procedures, regular service path validation, and monitoring for unauthorized service modifications. This vulnerability demonstrates the importance of adhering to security best practices in service configuration management and aligns with ATT&CK technique T1543.003 for creating or modifying system level persistence via service creation or modification. The attack surface is further reduced by implementing least privilege principles and ensuring that service accounts have minimal required permissions to operate effectively while maintaining system security integrity.