CVE-2020-37247

HIGH

Kite 4.2.0.1 U1 Unquoted Service Path Privilege Escalation

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37247. PoCs published by Ghaleb Al-otaibi.

AI-analyzed exploit summary This is a technical writeup detailing an unquoted service path vulnerability in KiteService, which could allow local privilege escalation due to improper handling of spaces in the service path. The provided information includes service configuration details and version specifics.

Description

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts.

Exploits (1)

exploitdb WRITEUP

by Ghaleb Al-otaibi · textlocalwindows

https://www.exploit-db.com/exploits/50975

View Code ZIP pw:eip

This is a technical writeup detailing an unquoted service path vulnerability in KiteService, which could allow local privilege escalation due to improper handling of spaces in the service path. The provided information includes service configuration details and version specifics.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Kite Version 4.2.0.1 U1

Auth required

Prerequisites: Local access to the system · KiteService installed with unquoted path

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50975

https://www.exploit-db.com/exploits/50975

Product product

Official Product Homepage

https://www.kite.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Kite 4.2.0.1 U1 Unquoted Service Path Privilege Escalation

https://www.vulncheck.com/advisories/kite-u1-unquoted-service-path-privilege-escalation

Scores

CVSS v3 7.8

EPSS 0.0011

EPSS Percentile 1.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-428

Status published

Products (1)

Kite/Kite 4.2.0.1 U1

Published May 16, 2026

Tracked Since May 16, 2026