CVE-2020-37230

HIGH

Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37230. PoCs published by Julio Aviña.

AI-analyzed exploit summary This is a technical writeup detailing an unquoted service path vulnerability in Syncplify.me Server! 5.0.37. It provides steps to identify the vulnerable service and explains the exploitation method, which involves inserting an executable into the service path to achieve privilege escalation.

Description

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots.

Exploits (1)

exploitdb WRITEUP

by Julio Aviña · textlocalwindows

https://www.exploit-db.com/exploits/49009

View Code ZIP pw:eip

This is a technical writeup detailing an unquoted service path vulnerability in Syncplify.me Server! 5.0.37. It provides steps to identify the vulnerable service and explains the exploitation method, which involves inserting an executable into the service path to achieve privilege escalation.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Syncplify.me Server! 5.0.37

Auth required

Prerequisites: local access to the system · ability to insert an executable into the service path

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-49009

https://www.exploit-db.com/exploits/49009

Product product

Official Product Homepage

https://www.syncplify.me/

Product product

Product Reference

https://download.syncplify.me/SMServer_Setup.exe

Third Party Advisory third-party-advisory

VulnCheck Advisory: Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation

https://www.vulncheck.com/advisories/syncplify-me-server-unquoted-service-path-privilege-escalation

Scores

CVSS v3 7.8

EPSS 0.0011

EPSS Percentile 1.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-428

Status published

Products (1)

Syncplify/Syncplify.me Server! 5.0.37

Published May 16, 2026

Tracked Since May 16, 2026