Vulnerabilities ›

CVE-2020-36981

High

Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path

CWE-428 — Weakness Type

                    Published: Jan 27, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup.

🤖 AI Executive Summary

CVE-2020-36981 is a local privilege escalation vulnerability in Motorola Device Manager 2.4.5 affecting the PST Service through an unquoted service path in ForwardDaemon.exe. Attackers with local access can inject malicious code to execute arbitrary commands with SYSTEM privileges during service startup. While no public exploit exists, the vulnerability poses significant risk to organizations using this software, particularly in enterprise environments where local access controls may be insufficient.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 10:32

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using Motorola Device Manager for device management. High-risk sectors include: Banking (SAMA-regulated institutions managing mobile devices), Government (NCA, ministries using centralized device management), Telecommunications (STC, Mobily managing enterprise infrastructure), and Healthcare (MOHSR facilities). The local privilege escalation nature makes it particularly dangerous in environments with shared workstations or inadequate endpoint access controls. Organizations with BYOD programs or contractor access are at elevated risk.

🏢 Affected Saudi Sectors

Government Banking Telecommunications Healthcare Energy Enterprise IT

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.011 - Boot or Logon Autostart Execution: Services T1134.003 - Access Token Manipulation: Make and Impersonate Token T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1112 - Modify Registry T1053.005 - Scheduled Task/Job: Scheduled Task

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running Motorola Device Manager 2.4.5 across your organization

2. Restrict local administrative access and implement principle of least privilege

3. Review and strengthen local access controls, particularly for shared workstations

4. Monitor ForwardDaemon.exe process execution and service startup events



Patching Guidance:

1. Upgrade Motorola Device Manager to version 2.4.6 or later immediately

2. Verify patch installation by checking service path configuration in Registry (HKLM\SYSTEM\CurrentControlSet\Services\PST Service)

3. Ensure service path is properly quoted and points to legitimate executable

4. Restart affected systems after patching



Compensating Controls (if patching delayed):

1. Disable PST Service if not actively required

2. Implement file integrity monitoring on ForwardDaemon.exe and service registry keys

3. Restrict write permissions to service executable directory

4. Deploy application whitelisting to prevent unauthorized code execution



Detection Rules:

1. Monitor for modifications to HKLM\SYSTEM\CurrentControlSet\Services\PST Service registry key

2. Alert on ForwardDaemon.exe execution from unexpected paths

3. Track service startup events (Event ID 7045) for PST Service

4. Monitor for suspicious child processes spawned by ForwardDaemon.exe with SYSTEM privileges

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل Motorola Device Manager 2.4.5 عبر مؤسستك

2. تقييد الوصول الإداري المحلي وتطبيق مبدأ الامتياز الأقل

3. مراجعة وتعزيز عناصر التحكم في الوصول المحلي، خاصة لمحطات العمل المشتركة

4. مراقبة تنفيذ عملية ForwardDaemon.exe وأحداث بدء الخدمة

إرشادات التصحيح:

1. ترقية Motorola Device Manager إلى الإصدار 2.4.6 أو أحدث على الفور

2. التحقق من تثبيت التصحيح بفحص تكوين مسار الخدمة في السجل (HKLM\SYSTEM\CurrentControlSet\Services\PST Service)

3. التأكد من أن مسار الخدمة مقتبس بشكل صحيح ويشير إلى ملف قابل للتنفيذ شرعي

4. إعادة تشغيل الأنظمة المتأثرة بعد التصحيح

عناصر التحكم البديلة (إذا تأخر التصحيح):

1. تعطيل خدمة PST إذا لم تكن مطلوبة بنشاط

2. تطبيق مراقبة سلامة الملفات على ForwardDaemon.exe ومفاتيح سجل الخدمة

3. تقييد أذونات الكتابة لدليل ملف الخدمة القابل للتنفيذ

4. نشر القائمة البيضاء للتطبيقات لمنع تنفيذ الكود غير المصرح به

قواعد الكشف:

1. مراقبة التعديلات على مفتاح السجل HKLM\SYSTEM\CurrentControlSet\Services\PST Service

2. تنبيه عند تنفيذ ForwardDaemon.exe من مسارات غير متوقعة

3. تتبع أحداث بدء الخدمة (معرف الحدث 7045) لخدمة PST

4. مراقبة العمليات الفرعية المريبة التي تم إطلاقها بواسطة ForwardDaemon.exe بامتيازات SYSTEM

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management and privilege management A.5.2.3 - Management of privileged access rights A.5.3.1 - Password management A.8.1.1 - User endpoint devices A.8.2.1 - Malware protection A.8.3.1 - Management of removable media

🔵 SAMA CSF

ID.AM-2 - Software platforms and applications are catalogued PR.AC-1 - Identities and credentials are issued and managed PR.AC-4 - Access rights are managed based on the principle of least privilege PR.DS-6 - Integrity checking mechanisms are used to verify software DE.CM-3 - Personnel activity is monitored to detect anomalous behavior

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.2 - Information security roles and responsibilities A.8.1.1 - User endpoint devices A.8.2.1 - Malware protection A.8.3.2 - Management of removable media A.9.2.1 - User registration and de-registration A.9.2.5 - Access rights review

🔗 References & Sources 4

🔗

https://www.exploit-db.com/exploits/49011

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/49013

disclosure@vulncheck.com

🔗

https://www.filehorse.com/es/descargar-motorola-device-manager/

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/motorola-device-manager-forwarddaemonexe-unquoted-...

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-01-27

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2020-36981

💬 Comments

Introduce Yourself

Sign In Required