📄 Description (English)
IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory and restart the service to execute code with SYSTEM privileges.
🤖 AI Executive Summary
CVE-2020-37223 is a local privilege escalation vulnerability in IObit Uninstaller 9.5.0.15 affecting the IObitUnSvr service through an unquoted service path. Attackers with local access can place a malicious executable in a predictable directory and escalate privileges to SYSTEM level. While no public exploit is available and patching options are limited, this vulnerability poses significant risk in enterprise environments where IObit Uninstaller is deployed, particularly in organizations with weak local access controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 07:01
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises that deploy IObit Uninstaller for system maintenance. High-risk sectors include: (1) Banking sector under SAMA oversight where workstations may run IObit Uninstaller; (2) Government entities under NCA jurisdiction managing IT infrastructure; (3) Healthcare organizations managing clinical workstations; (4) Energy sector including ARAMCO subsidiaries with IT infrastructure. The vulnerability is particularly concerning in organizations with shared workstations or contractor access, common in Saudi enterprises. Impact is limited to local privilege escalation but could enable lateral movement and data exfiltration in multi-user environments.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Education
Large Enterprises
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems running IObit Uninstaller 9.5.0.15 and earlier versions across the organization
2. Restrict local administrative access and implement principle of least privilege on affected systems
3. Disable or remove IObit Uninstaller if not critical to operations
Compensating Controls (until upgrade/removal):
1. Implement strict file system permissions on C:\Program Files (x86)\IObit directory - restrict write access to SYSTEM and Administrators only
2. Monitor and alert on any executable creation in C:\Program Files (x86)\IObit directory
3. Disable IObitUnSvr service if not actively used; set service startup type to 'Disabled'
4. Implement application whitelisting to prevent unauthorized executables in Program Files directories
5. Enable Windows Audit Policy to log service start/stop events and file creation in protected directories
Detection Rules:
1. Monitor for file creation events in C:\Program Files (x86)\IObit with executable extensions (.exe, .dll, .sys)
2. Alert on IObitUnSvr service restart or start events
3. Monitor for process execution with SYSTEM privileges originating from C:\Program Files (x86)\IObit
4. Track failed and successful privilege escalation attempts in Windows Event Viewer (Event ID 4672, 4673)
Upgrade Path:
1. Contact IObit for patched version or migrate to alternative system maintenance tools
2. If upgrade available, test in isolated environment before enterprise deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع الأنظمة التي تقوم بتشغيل IObit Uninstaller 9.5.0.15 والإصدارات السابقة عبر المنظمة
2. قيد الوصول الإداري المحلي وطبق مبدأ الامتياز الأقل على الأنظمة المتأثرة
3. عطل أو أزل IObit Uninstaller إذا لم يكن حرجاً للعمليات
الضوابط التعويضية (حتى الترقية/الإزالة):
1. طبق أذونات نظام الملفات الصارمة على دليل C:\Program Files (x86)\IObit - قيد الوصول للكتابة إلى SYSTEM والمسؤولين فقط
2. راقب وأصدر تنبيهات لأي إنشاء ملف قابل للتنفيذ في دليل C:\Program Files (x86)\IObit
3. عطل خدمة IObitUnSvr إذا لم تكن قيد الاستخدام النشط؛ اضبط نوع بدء الخدمة على 'معطل'
4. طبق قائمة بيضاء للتطبيقات لمنع الملفات التنفيذية غير المصرح بها في أدلة Program Files
5. فعّل سياسة تدقيق Windows لتسجيل أحداث بدء/إيقاف الخدمة وإنشاء الملفات في الأدلة المحمية
قواعد الكشف:
1. راقب أحداث إنشاء الملفات في C:\Program Files (x86)\IObit بامتدادات قابلة للتنفيذ (.exe, .dll, .sys)
2. أصدر تنبيهات عند إعادة تشغيل أو بدء خدمة IObitUnSvr
3. راقب تنفيذ العمليات بامتيازات SYSTEM من C:\Program Files (x86)\IObit
4. تتبع محاولات تصعيد الامتيازات الفاشلة والناجحة في Windows Event Viewer (معرف الحدث 4672، 4673)
مسار الترقية:
1. اتصل بـ IObit للحصول على إصدار مصحح أو الهجرة إلى أدوات صيانة نظام بديلة
2. إذا كان الترقية متاحة، اختبرها في بيئة معزولة قبل النشر على مستوى المؤسسة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and de-registration
A.6.2.2 - User access provisioning
A.8.2.1 - User endpoint devices
A.8.2.3 - Segregation of networks
A.8.3.1 - Encryption and key management
🔵 SAMA CSF
ID.AM-2 - Software inventory
PR.AC-1 - Identity and access management
PR.AC-4 - Access rights management
PR.DS-5 - Protective technology
DE.CM-1 - System monitoring
DE.CM-3 - Unauthorized software detection
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights
A.8.1.1 - User endpoint devices
A.8.2.1 - Privileged access rights
A.8.3.1 - Encryption and key management
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🟣 PCI DSS v4.0.1
2.2.4 - Configure system security parameters
6.2 - Ensure security patches are installed
7.1 - Limit access to system components
10.2 - Implement automated audit trails
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://www.exploit-db.com/exploits/48543
disclosure@vulncheck.com
https://www.iobit.com
disclosure@vulncheck.com
https://www.iobit.com/en/advanceduninstaller.php
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/iobit-uninstaller-unquoted-service-path-privilege-...
disclosure@vulncheck.com