CVE-2020-37100

HIGH

Sync Breeze Enterprise 12.4.18 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37100. PoCs published by boku.

AI-analyzed exploit summary This is a writeup demonstrating an unquoted service path vulnerability in Sync Breeze Enterprise 12.4.18. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code if an attacker can place a malicious executable in the path.

Description

Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process.

Exploits (1)

exploitdb WRITEUP
by boku · textlocalwindows
https://www.exploit-db.com/exploits/48045

This is a writeup demonstrating an unquoted service path vulnerability in Sync Breeze Enterprise 12.4.18. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code if an attacker can place a malicious executable in the path.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Sync Breeze Enterprise 12.4.18
Auth required
Prerequisites: Local access to the system · Ability to write to the directory structure where the unquoted path is located
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48045
Various Sources product
http://www.syncbreeze.com

Scores

CVSS v3 7.8
EPSS 0.0019
EPSS Percentile 8.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-428
Status published
Products (1)
flexense/syncbreeze 12.4.18
Published Feb 03, 2026
Tracked Since Feb 18, 2026