📄 الوصف (الإنجليزية)
MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges.
🤖 ملخص AI
CVE-2020-36953 is a local privilege escalation vulnerability in MiniTool ShadowMaker 3.2 affecting the MTAgentService through an unquoted service path. Attackers with local access can inject malicious executables into the service path to achieve arbitrary code execution with SYSTEM privileges. While no public exploit is available, the vulnerability poses significant risk to organizations using this backup solution, particularly in critical infrastructure environments.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 27, 2026 07:38
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily impacts Saudi organizations using MiniTool ShadowMaker for backup and disaster recovery operations. Most at-risk sectors include: (1) Banking and Financial Services (SAMA-regulated entities) relying on this backup solution for critical data protection; (2) Government agencies and entities under NCA oversight using this tool for system backups; (3) Healthcare organizations (MOH, private hospitals) storing patient data backups; (4) Energy sector (ARAMCO, utilities) protecting operational technology backups; (5) Telecommunications (STC, Mobily) managing infrastructure backups. The vulnerability is particularly dangerous in multi-user environments and shared server infrastructure common in Saudi enterprises.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Critical Infrastructure
Data Centers and Cloud Services
🎯 تقنيات MITRE ATT&CK
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1036.003 - Masquerading: Rename System Utilities
T1053.005 - Scheduled Task/Job: Scheduled Task
⚖️ درجة المخاطر السعودية (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running MiniTool ShadowMaker 3.2 across your organization
2. Restrict local access to affected systems through access control lists and physical security measures
3. Monitor for suspicious file creation attempts in 'C:\Program Files\MiniTool ShadowMaker\' directory
Patching Guidance:
1. Upgrade MiniTool ShadowMaker to version 3.3 or later immediately
2. Verify service path is properly quoted after upgrade: "C:\Program Files\MiniTool ShadowMaker\AgentService.exe"
3. Test backup functionality post-upgrade in non-production environment first
Compensating Controls (if immediate patching not possible):
1. Disable MTAgentService if not actively used
2. Implement strict file system permissions on Program Files directory (read-only for non-administrators)
3. Use Windows AppLocker to prevent unauthorized executable execution in the service directory
4. Enable Windows Defender Application Guard for additional process isolation
Detection Rules:
1. Monitor Event Viewer for Service Control Manager (Event ID 7045) for service creation/modification
2. Alert on file creation in 'C:\Program Files\MiniTool ShadowMaker\' with suspicious names
3. Monitor process execution from Program Files\MiniTool ShadowMaker directory for unexpected binaries
4. Track privilege escalation attempts and SYSTEM-level process spawning from backup service context
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل MiniTool ShadowMaker 3.2 عبر مؤسستك
2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال قوائم التحكم في الوصول والتدابير الأمنية المادية
3. مراقبة محاولات إنشاء ملفات مريبة في دليل 'C:\Program Files\MiniTool ShadowMaker\'
إرشادات التصحيح:
1. ترقية MiniTool ShadowMaker إلى الإصدار 3.3 أو أحدث فوراً
2. التحقق من أن مسار الخدمة مقتبس بشكل صحيح بعد الترقية: "C:\Program Files\MiniTool ShadowMaker\AgentService.exe"
3. اختبار وظيفة النسخ الاحتياطي بعد الترقية في بيئة غير الإنتاج أولاً
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل خدمة MTAgentService إذا لم تكن قيد الاستخدام النشط
2. تنفيذ أذونات نظام الملفات الصارمة على دليل Program Files (قراءة فقط للمسؤولين)
3. استخدام Windows AppLocker لمنع تنفيذ الملفات التنفيذية غير المصرح بها في دليل الخدمة
4. تفعيل Windows Defender Application Guard لعزل العمليات الإضافي
قواعد الكشف:
1. مراقبة Event Viewer لمدير التحكم في الخدمة (معرف الحدث 7045) لإنشاء/تعديل الخدمة
2. التنبيه عند إنشاء ملفات في 'C:\Program Files\MiniTool ShadowMaker\' بأسماء مريبة
3. مراقبة تنفيذ العمليات من دليل Program Files\MiniTool ShadowMaker للملفات الثنائية غير المتوقعة
4. تتبع محاولات تصعيد الامتيازات وتوليد العمليات على مستوى SYSTEM من سياق خدمة النسخ الاحتياطي
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.8.2.1 - Classification of information
A.12.2.1 - Restrictions on software installation
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🔵 SAMA CSF
ID.AM-2 - Software inventory
PR.AC-1 - Access control policy
PR.AC-4 - Access rights management
PR.DS-5 - Encryption and key management
DE.CM-1 - System monitoring
DE.CM-3 - Unauthorized software detection
RS.MI-2 - Incident response procedures
🟡 ISO 27001:2022
A.5.1.1 - Information security policy
A.6.1.1 - Access control policy
A.6.2.1 - User access management
A.8.1.1 - Asset inventory
A.12.2.1 - Change management
A.12.4.1 - Event logging
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
2.2.4 - Configure system security parameters
6.2 - Ensure security patches are installed
8.1 - Assign unique user IDs
10.2 - Implement automated audit trails