Vulnerabilities ›

CVE-2020-37063

High

TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path

CWE-428 — Weakness Type

                    Published: Feb 1, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.

🤖 AI Executive Summary

CVE-2020-37063 is a local privilege escalation vulnerability in TFTP Turbo 4.6.1273 affecting Windows systems through an unquoted service path. Attackers with local access can inject malicious executables into the service path to execute arbitrary code with LocalSystem privileges. While no public exploit is available, the vulnerability poses significant risk to organizations using this legacy TFTP service, particularly in industrial and network infrastructure environments common in Saudi Arabia.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 15:01

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations in critical sectors: (1) Energy sector (ARAMCO, utilities) using TFTP for device management and firmware updates; (2) Telecommunications (STC, Mobily, Zain) for network equipment provisioning; (3) Government agencies and NCA infrastructure relying on legacy network services; (4) Healthcare institutions using TFTP for medical device management; (5) Banking sector for ATM and network device configuration. The vulnerability is particularly concerning in industrial control systems and network infrastructure prevalent in Saudi Arabia's critical infrastructure.

🏢 Affected Saudi Sectors

Energy (ARAMCO, utilities) Telecommunications (STC, Mobily, Zain) Government & NCA Healthcare Banking & Financial Services Industrial Control Systems Network Infrastructure

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Unquoted Path T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1543.003 - Create or Modify System Process: Windows Service T1134.003 - Access Token Manipulation: Make and Impersonate Token T1053.005 - Scheduled Task/Job: Scheduled Task

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running TFTP Turbo 4.6.1273 across your infrastructure using asset discovery tools

2. Restrict local access to affected systems through access control lists and physical security measures

3. Monitor service startup and file system changes in TFTP installation directories



Patching Guidance:

1. Upgrade TFTP Turbo to version 4.6.1274 or later immediately

2. If immediate patching is not possible, uninstall TFTP Turbo if not operationally critical

3. Test patches in non-production environments before deployment



Compensating Controls:

1. Implement file integrity monitoring (FIM) on TFTP service directories

2. Use AppLocker or Windows Defender Application Control to restrict executable execution in service paths

3. Run TFTP service with minimal required privileges instead of LocalSystem where possible

4. Implement strict file permissions (NTFS ACLs) on service installation directories

5. Disable TFTP service if not actively required



Detection Rules:

1. Monitor for file creation/modification in TFTP installation directories with suspicious extensions (.exe, .dll, .bat, .ps1)

2. Alert on service startup failures followed by successful execution with elevated privileges

3. Track changes to service registry keys (HKLM\SYSTEM\CurrentControlSet\Services\)

4. Monitor for unquoted path exploitation patterns in Windows Event Viewer (Event ID 4688 - Process Creation)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل TFTP Turbo 4.6.1273 عبر البنية التحتية باستخدام أدوات اكتشاف الأصول

2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال قوائم التحكم في الوصول والتدابير الأمنية المادية

3. مراقبة بدء تشغيل الخدمة والتغييرات في نظام الملفات في أدلة تثبيت TFTP

إرشادات التصحيح:

1. ترقية TFTP Turbo إلى الإصدار 4.6.1274 أو أحدث على الفور

2. إذا لم يكن التصحيح الفوري ممكناً، قم بإلغاء تثبيت TFTP Turbo إذا لم تكن حرجة تشغيلياً

3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر

الضوابط البديلة:

1. تنفيذ مراقبة سلامة الملفات (FIM) على أدلة خدمة TFTP

2. استخدام AppLocker أو Windows Defender Application Control لتقييد تنفيذ الملفات القابلة للتنفيذ في مسارات الخدمة

3. تشغيل خدمة TFTP بأقل امتيازات مطلوبة بدلاً من LocalSystem حيث أمكن

4. تنفيذ أذونات ملفات صارمة (NTFS ACLs) على أدلة تثبيت الخدمة

5. تعطيل خدمة TFTP إذا لم تكن مطلوبة بنشاط

قواعد الكشف:

1. مراقبة إنشاء/تعديل الملفات في أدلة تثبيت TFTP بامتدادات مريبة (.exe, .dll, .bat, .ps1)

2. تنبيهات فشل بدء تشغيل الخدمة متبوعة بتنفيذ ناجح بامتيازات مرتفعة

3. تتبع التغييرات في مفاتيح سجل الخدمة (HKLM\SYSTEM\CurrentControlSet\Services\)

4. مراقبة أنماط استغلال المسار غير المقتبس في عارض أحداث Windows (معرف الحدث 4688 - إنشاء العملية)

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 - 5.1.1: Access Control - Restrict local access and privilege escalation ECC 2024 - 5.2.1: Cryptography and System Hardening - Implement application whitelisting ECC 2024 - 6.1.1: Vulnerability Management - Patch management and vulnerability assessment ECC 2024 - 6.2.1: Incident Response - Monitor and detect privilege escalation attempts

🔵 SAMA CSF

SAMA CSF - Governance & Risk Management: Identify and manage legacy system risks SAMA CSF - Information Security: Implement access controls and privilege management SAMA CSF - Operational Resilience: Maintain system availability while addressing vulnerabilities SAMA CSF - Incident Management: Detect and respond to local privilege escalation attempts

🟡 ISO 27001:2022

ISO 27001:2022 - A.5.2: User access management - Control local access privileges ISO 27001:2022 - A.5.3: Access control - Implement principle of least privilege ISO 27001:2022 - A.8.1: Asset management - Maintain inventory of TFTP systems ISO 27001:2022 - A.8.2: Configuration management - Secure service configurations ISO 27001:2022 - A.12.2: Software and firmware updates - Apply security patches

🟣 PCI DSS v4.0.1

PCI DSS 3.2.1: Render PAN unreadable - Not directly applicable unless TFTP handles payment data PCI DSS 6.2: Ensure security patches are installed - Patch TFTP Turbo immediately PCI DSS 7.1: Limit access to system components - Restrict local access to TFTP systems PCI DSS 11.2: Run vulnerability scans - Include TFTP systems in regular scanning

🔗 References & Sources 3

🔗

https://www.exploit-db.com/exploits/48085

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/tftp-turbo-tftp-turbo-unquoted-service-path

disclosure@vulncheck.com

🔗

https://www.weird-solutions.com

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-02-01

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2020-37063

💬 Comments

Introduce Yourself

Sign In Required