CVE-2020-36879

Flexsense DiskBoss Service Unquoted Service Path Vulnerability

CVSS 8.5 HIGHEPSS 0.2%CWE-428

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.5EPSS 0.2%KEV nãoPoC —Patch —

Lifecycle

05 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Flexsense · DiskBoss Flexsense · DiskBoss Enterprise Flexsense · DiskBoss Pro Flexsense · DiskBoss Server Flexsense · DiskBoss Ultimate

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.diskboss.com/https://www.diskboss.com/downloads.html https://www.exploit-db.com/exploits/49022 https://www.vulncheck.com/advisories/flexsense-diskboss-service-unquoted-service-path-vulnerability