Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path | Advisories

Advisories

Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path

severity: high
date: January 28, 2026
Affecting: Program Access Controller 1.2.0.0
CVE: CVE-2020-36987
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-48966
Vendor Homepage
Credit: Mohammed Alshehri
Description: Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.