Vulnerabilities ›

CVE-2020-37099

High

Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the

CWE-428 — Weakness Type

                    Published: Feb 3, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malicious executables and escalate privileges.

🤖 AI Executive Summary

CVE-2020-37099 is a local privilege escalation vulnerability in Disk Savvy Enterprise 12.3.18 exploiting an unquoted service path, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges. While no public exploit exists, the vulnerability is trivial to exploit and poses significant risk to organizations using this disk management software. Immediate patching is critical for systems handling sensitive data or operating in restricted environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 17:19

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using Disk Savvy Enterprise for storage management and monitoring. High-risk sectors include: SAMA-regulated banking institutions managing critical financial data, NCA-supervised government agencies handling classified information, healthcare organizations (MOH) storing patient records, ARAMCO and energy sector companies managing operational technology infrastructure, and telecommunications providers (STC, Mobily) maintaining network infrastructure. The local privilege escalation capability is particularly dangerous in multi-user environments and shared server infrastructure common in Saudi enterprise deployments.

🏢 Affected Saudi Sectors

Banking & Financial Services (SAMA-regulated) Government & Public Administration (NCA-supervised) Healthcare (MOH facilities) Energy & Oil/Gas (ARAMCO, downstream operators) Telecommunications (STC, Mobily, Zain) Large Enterprise IT Operations Data Centers & Hosting Providers

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.011 - Boot or Logon Autostart Execution: Services T1134.003 - Access Token Manipulation: Make and Impersonate Token T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1036.003 - Masquerading: Rename System Utilities T1053.005 - Scheduled Task/Job: Scheduled Task

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all systems running Disk Savvy Enterprise 12.3.18 or earlier versions through asset inventory and endpoint detection tools

2. Restrict local access to affected systems through Group Policy (Windows) or access control lists

3. Disable or remove Disk Savvy Enterprise service if not critical to operations



PATCHING:

1. Upgrade to Disk Savvy Enterprise version 13.0 or later (confirmed patched version)

2. Apply patches through controlled testing in non-production environments first

3. Verify service path is properly quoted post-patch: "C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe"



COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement application whitelisting to prevent unauthorized executable execution in Program Files directories

2. Monitor and alert on file creation attempts in C:\Program Files\Disk Savvy Enterprise\bin\ directory

3. Restrict service account permissions to minimum required privileges

4. Enable Windows Defender Application Guard or similar sandboxing



DETECTION RULES:

1. Monitor for suspicious .exe files created in C:\Program Files\Disk Savvy Enterprise\bin\ with timestamps near service startup

2. Alert on disksvs.exe service starting with unexpected child processes

3. Track privilege escalation events (Event ID 4688) following Disk Savvy service execution

4. Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\DiskSavvyService ImagePath value

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل Disk Savvy Enterprise 12.3.18 أو الإصدارات الأقدم من خلال جرد الأصول وأدوات الكشف عن نقاط النهاية

2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال Group Policy أو قوائم التحكم في الوصول

3. تعطيل أو إزالة خدمة Disk Savvy Enterprise إذا لم تكن حرجة للعمليات

التصحيح:

1. الترقية إلى Disk Savvy Enterprise الإصدار 13.0 أو أحدث (إصدار مصحح مؤكد)

2. تطبيق التصحيحات من خلال الاختبار المنضبط في بيئات غير الإنتاج أولاً

3. التحقق من أن مسار الخدمة محاط بعلامات اقتباس بشكل صحيح بعد التصحيح

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ ملفات قابلة للتنفيذ غير مصرح بها في أدلة Program Files

2. مراقبة والتنبيه على محاولات إنشاء ملفات في دليل Disk Savvy Enterprise

3. تقييد أذونات حساب الخدمة للحد الأدنى المطلوب

4. تفعيل Windows Defender Application Guard أو حماية مماثلة

قواعد الكشف:

1. مراقبة ملفات .exe المريبة المنشأة في دليل Disk Savvy Enterprise مع أوقات قريبة من بدء الخدمة

2. التنبيه على خدمة disksvs.exe التي تبدأ بعمليات فرعية غير متوقعة

3. تتبع أحداث تصعيد الامتيازات بعد تنفيذ خدمة Disk Savvy

4. مراقبة تعديلات السجل على قيمة ImagePath للخدمة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management and privilege control A.5.2.2 - Segregation of duties A.5.2.3 - User access review A.5.3.1 - Password management A.5.4.1 - Event logging and monitoring A.5.4.2 - Protection of log information A.5.5.1 - Installation of software on operational systems

🔵 SAMA CSF

Governance & Risk Management - Policy and Risk Assessment Information & Cybersecurity - Access Control and Authentication Information & Cybersecurity - Audit and Accountability Resilience & Continuity - System Hardening and Patch Management

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.5.2.1 - User registration and de-registration A.5.2.2 - User access provisioning A.5.2.3 - Management of privileged access rights A.5.3.1 - Management of authentication information A.5.4.1 - Event logging A.5.4.2 - Protection of log information A.8.1.1 - User endpoint devices A.8.1.3 - Management of removable media

🟣 PCI DSS v4.0.1

Requirement 2.2.4 - Configure system security parameters to prevent misuse Requirement 6.2 - Ensure all system components and software are protected from known vulnerabilities Requirement 8.1.1 - Assign unique ID to each person with computer access Requirement 8.2.1 - Use strong authentication methods

🔗 References & Sources 3

🔗

http://www.disksavvy.com

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/48049

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/disk-savvy-enterprise-disksvsexe-unquoted-service-...

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-02-03

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2020-37099

💬 Comments

Introduce Yourself

Sign In Required