Flexsense DiskBoss Service Unquoted Service Path Vulnerability

Advisories

Flexsense DiskBoss Service Unquoted Service Path Vulnerability

severity: high
date: 12/5/2025
Affecting: 11.7.28
11.7.28
11.7.28
11.7.28
11.7.28
11.7.28
11.7.28
CVE: CVE-2020-36879
CVE type: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49022
DiskBoss Product Homepage
DiskBoss Software Link
Credit: Mohammed Alshehri, m507
Description: Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo