📄 Description (English)
KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges.
🤖 AI Executive Summary
CVE-2020-36935 is a local privilege escalation vulnerability in KMSpico 17.1.0.0 affecting Windows systems through an unquoted service path in the KMSELDI service configuration. Attackers with local access can inject malicious executables into the service path to execute arbitrary code with elevated privileges. While no public exploit is available, the vulnerability poses a significant risk in environments where KMSpico is deployed, particularly in organizations using unlicensed software activation tools.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 07:37
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily affects Saudi organizations using unlicensed software activation tools, particularly in government agencies, educational institutions, and smaller enterprises that may rely on KMSpico. High-risk sectors include: Government entities (NCA oversight), Educational institutions, Small-to-medium enterprises (SMEs), and IT service providers. The vulnerability enables local privilege escalation, which could lead to lateral movement within networks, data exfiltration, and system compromise. Organizations in the Kingdom using KMSpico face elevated risk of insider threats and compromised workstations becoming pivot points for broader network attacks.
🏢 Affected Saudi Sectors
Government
Education
Small-to-Medium Enterprises
IT Service Providers
Healthcare
Telecommunications
🎯 MITRE ATT&CK Techniques
T1548.004 - Abuse Elevation Control Mechanism: Unquoted Service Path
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
T1543.003 - Create or Modify System Process: Windows Service
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1053.005 - Scheduled Task/Job: Scheduled Task
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify and inventory all systems running KMSpico 17.1.0.0 or earlier versions
2. Restrict local access to affected systems through access control lists (ACLs)
3. Disable or remove KMSpico service if not critical to operations
4. Monitor service startup and execution logs for suspicious activity
Patching Guidance:
1. Upgrade KMSpico to version 17.2.0.0 or later (patch available)
2. Alternatively, use legitimate Microsoft licensing solutions (Volume Licensing, Microsoft 365)
3. Apply Windows security updates and enable UAC (User Account Control)
Compensating Controls:
1. Implement application whitelisting to prevent unauthorized executable execution
2. Deploy endpoint detection and response (EDR) solutions to monitor process execution
3. Enable Windows Defender or equivalent antimalware with real-time protection
4. Restrict write permissions to C:\Program Files\KMSpico\ directory
5. Monitor Windows Event Viewer for Service Control Manager (SCM) events
Detection Rules:
1. Monitor for file creation/modification in C:\Program Files\KMSpico\ with suspicious extensions
2. Alert on Service_KMS.exe execution with unusual parent processes
3. Track registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI
4. Monitor for privilege escalation attempts following KMSpico service interactions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد وحصر جميع الأنظمة التي تعمل بـ KMSpico 17.1.0.0 أو الإصدارات الأقدم
2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال قوائم التحكم في الوصول (ACLs)
3. تعطيل أو إزالة خدمة KMSpico إذا لم تكن حرجة للعمليات
4. مراقبة سجلات بدء التشغيل والتنفيذ للنشاط المريب
إرشادات التصحيح:
1. ترقية KMSpico إلى الإصدار 17.2.0.0 أو أحدث (التصحيح متاح)
2. بدلاً من ذلك، استخدم حلول الترخيص الشرعية من Microsoft (ترخيص الحجم، Microsoft 365)
3. تطبيق تحديثات أمان Windows وتفعيل UAC (التحكم في حساب المستخدم)
الضوابط البديلة:
1. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ الملفات التنفيذية غير المصرح بها
2. نشر حلول كشف الاستجابة على نقطة النهاية (EDR) لمراقبة تنفيذ العمليات
3. تفعيل Windows Defender أو برامج مكافحة البرامج الضارة المكافئة مع الحماية في الوقت الفعلي
4. تقييد أذونات الكتابة إلى دليل C:\Program Files\KMSpico\
5. مراقبة Windows Event Viewer لأحداث Service Control Manager (SCM)
قواعد الكشف:
1. مراقبة إنشاء/تعديل الملفات في C:\Program Files\KMSpico\ بامتدادات مريبة
2. تنبيه عند تنفيذ Service_KMS.exe مع عمليات أصلية غير عادية
3. تتبع تعديلات السجل إلى HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI
4. مراقبة محاولات تصعيد الامتيازات بعد تفاعلات خدمة KMSpico
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.5.3.1 - Access Rights Review
ECC 2024 A.8.1.1 - Asset Inventory and Control
ECC 2024 A.12.2.1 - Change Management Procedures
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - System Monitoring
SAMA CSF RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.5.16 - Identification and Authentication
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.22 - Monitoring
ISO 27001:2022 A.8.32 - Change Management
🟣 PCI DSS v4.0.1
PCI DSS 2.2.4 - Configure System Security Parameters
PCI DSS 6.2 - Ensure Security Patches Installed
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 10.2 - Implement User Identification