CVE-2020-36935

HIGH

KMSpico 17.1.0.0 - Unquoted Service Path Privilege Escalation via Service KMSELDI Configuration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36935. PoCs published by SamAlucard.

AI-analyzed exploit summary This is a technical writeup demonstrating an unquoted service path vulnerability in KMSpico 17.1.0.0. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code with elevated privileges.

Description

KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges.

Exploits (1)

exploitdb WRITEUP
by SamAlucard · textlocalwindows
https://www.exploit-db.com/exploits/49003

This is a technical writeup demonstrating an unquoted service path vulnerability in KMSpico 17.1.0.0. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code with elevated privileges.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: KMSpico 17.1.0.0
Auth required
Prerequisites: Local access to the system · KMSpico 17.1.0.0 installed with the vulnerable service
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources product
https://official-kmspico.com/
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49003

Scores

CVSS v3 7.8
EPSS 0.0015
EPSS Percentile 4.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-428
Status published
Published Jan 25, 2026
Tracked Since Feb 18, 2026