Vulnerabilities ›

CVE-2020-37231

High

CWE-428 — Weakness Type

                    Published: May 16, 2026                      ·  Modified: May 23, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Attackers can place malicious executables in the unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot.

🤖 AI Executive Summary

CVE-2020-37231 is a local privilege escalation vulnerability in Privacy Drive 3.17.0 affecting the pdsvc.exe service due to an unquoted service path. Attackers with local access can place malicious executables in unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup. While no public exploit is available and no patch exists, the vulnerability poses significant risk to organizations using this software, particularly in multi-user environments or systems with weak access controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 21, 2026 01:01

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations in sectors utilizing Privacy Drive for data protection: Government agencies (NCA, Ministry of Interior) managing sensitive citizen data, Banking sector (SAMA-regulated institutions) protecting financial records, Healthcare organizations (MOH facilities) storing patient information, and Energy sector (ARAMCO, utilities) securing operational technology. The local privilege escalation could lead to unauthorized access to encrypted data, system compromise, and potential data exfiltration. Risk is elevated in organizations with shared workstations or inadequate physical access controls.

🏢 Affected Saudi Sectors

Government Banking Healthcare Energy Telecommunications Education Legal Services

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.011 - Boot or Logon Autostart Execution: Plist Modification T1134.003 - Access Token Manipulation: Make and Impersonate Token T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1036.005 - Masquerading: Match Legitimate Name or Location T1053.005 - Scheduled Task/Job: Scheduled Task

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running Privacy Drive 3.17.0 and document their locations and criticality

2. Restrict local access to affected systems through physical security and access controls

3. Implement application whitelisting to prevent unauthorized executable execution

4. Monitor service startup logs for suspicious activity



Compensating Controls:

1. Enforce strong file system permissions on directories in the service path (remove write permissions for non-administrators)

2. Implement endpoint detection and response (EDR) solutions to detect privilege escalation attempts

3. Use Windows AppLocker or similar tools to restrict executable execution in system directories

4. Enable Windows Event Logging for service startup and process creation (Event IDs 4688, 7045)

5. Regularly audit file system permissions on critical directories



Detection Rules:

1. Monitor for suspicious .exe files created in system directories or service paths

2. Alert on pdsvc.exe service restarts with unusual child processes

3. Track failed and successful privilege escalation attempts in Windows Security logs

4. Implement file integrity monitoring on service binary locations



Long-term:

1. Contact Privacy Drive vendor for security updates or consider alternative solutions

2. Plan migration to patched versions when available

3. Evaluate alternative encryption solutions with better security practices

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل Privacy Drive 3.17.0 وتوثيق مواقعها وأهميتها

2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال الأمان المادي والتحكم في الوصول

3. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ الملفات التنفيذية غير المصرح بها

4. مراقبة سجلات بدء الخدمة للنشاط المريب

الضوابط التعويضية:

1. فرض أذونات نظام الملفات القوية على المجلدات في مسار الخدمة (إزالة أذونات الكتابة للمسؤولين)

2. تنفيذ حلول الكشف والاستجابة للنقاط النهائية (EDR) للكشف عن محاولات تصعيد الامتيازات

3. استخدام AppLocker أو أدوات مماثلة لتقييد تنفيذ الملفات التنفيذية في مجلدات النظام

4. تفعيل تسجيل أحداث Windows لبدء الخدمة وإنشاء العمليات (معرفات الأحداث 4688، 7045)

5. تدقيق منتظم لأذونات نظام الملفات على المجلدات الحرجة

قواعد الكشف:

1. مراقبة ملفات .exe المريبة المنشأة في مجلدات النظام أو مسارات الخدمة

2. التنبيه على إعادة تشغيل خدمة pdsvc.exe مع عمليات فرعية غير عادية

3. تتبع محاولات تصعيد الامتيازات الفاشلة والناجحة في سجلات أمان Windows

4. تنفيذ مراقبة سلامة الملفات على مواقع الملفات الثنائية للخدمة

المدى الطويل:

1. الاتصال بمورد Privacy Drive للحصول على تحديثات أمان أو النظر في حلول بديلة

2. التخطيط للهجرة إلى الإصدارات المصححة عند توفرها

3. تقييم حلول التشفير البديلة ذات الممارسات الأمنية الأفضل

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies (local access restrictions) ECC 2024 A.8.1.1 - Asset Management (inventory of affected systems) ECC 2024 A.12.2.1 - Change Management (patch management procedures) ECC 2024 A.12.4.1 - Event Logging (monitoring service startup)

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management (identify systems running Privacy Drive) SAMA CSF PR.AC-1 - Access Control (restrict local access) SAMA CSF PR.PT-1 - Protection Technology (implement EDR/AppLocker) SAMA CSF DE.CM-1 - Detection and Analysis (monitor for exploitation attempts)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties (prevent unauthorized privilege escalation) ISO 27001:2022 A.8.1 - Asset management (inventory affected systems) ISO 27001:2022 A.8.3 - Media handling (protect system files) ISO 27001:2022 A.12.4 - Logging (event logging for service startup) ISO 27001:2022 A.12.6 - Technical vulnerability management (patch management)

🟣 PCI DSS v4.0.1

PCI DSS 2.2 - Configuration standards (secure service configuration) PCI DSS 6.2 - Security patches (patch management for affected systems) PCI DSS 10.2 - Logging and monitoring (monitor service startup events)

🔗 References & Sources 4

🔗

https://www.cybertronsoft.com/

disclosure@vulncheck.com

🔗

https://www.cybertronsoft.com/download/privacy-drive-setup.exe

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/49023

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/privacy-drive-unquoted-service-path-privilege-esca...

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-05-16

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2020-37231

Introduce Yourself

Sign In Required