OKI sPSV Port Manager: Local Privilege Escalation via Unquoted Path

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-428
OKI sPSV Port Manager: Local Privilege Escalation via Unquoted Path

The National Vulnerability Database (NVD) highlights CVE-2020-37229, a critical unquoted service path vulnerability in OKI sPSV Port Manager version 1.0.41. This flaw, rated 7.8 (HIGH) on the CVSS scale, allows a local attacker to escalate privileges to LocalSystem by injecting a malicious executable into the service path. The sPSVOpLclSrv service, when restarted or on system reboot, will execute this malicious file with elevated permissions.

This isn’t theoretical. An attacker already on the system, even with low privileges, can leverage this for full system compromise. It’s a classic lateral movement and persistence vector. Defenders need to recognize that local privilege escalation vulnerabilities are often chained with initial access techniques, turning a minor foothold into a complete takeover.

While specific affected products aren’t detailed by the NVD, any organization running OKI sPSV Port Manager 1.0.41 is exposed. The fix involves ensuring service paths are properly quoted to prevent this injection. This is a basic security hygiene issue that still plagues many applications.

What This Means For You

  • If your organization uses OKI sPSV Port Manager 1.0.41, you need to verify that the sPSVOpLclSrv service path is properly quoted. An unquoted path is an open invitation for local privilege escalation, allowing an attacker who has already breached your perimeter to gain full control of the system. Patch or mitigate this immediately.

Related ATT&CK Techniques

T1547.001 Registry Run Keys / Startup Folder Persistence T1050 Service Execution Privilege Escalation T1574.001 DLL Side-Loading Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1574.001 Privilege Escalation

CVE-2020-37229 - OKI sPSV Port Manager Unquoted Service Path Privilege Escalation

Sigma YAML — free preview 
title: CVE-2020-37229 - OKI sPSV Port Manager Unquoted Service Path Privilege Escalation
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the OKI sPSV Port Manager service (sPSVOpLclSrv.exe) when its path contains a space or other special character that could be exploited by an attacker placing a malicious executable in a subdirectory. This rule specifically targets the unquoted service path vulnerability (CVE-2020-37229) allowing for local privilege escalation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2020-37229/
tags:
  - attack.privilege_escalation
  - attack.t1574.001
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Program Files (x86)\OKI\sPSV Port Manager\sPSVOpLclSrv.exe'
      ParentImage|startswith:
          - 'C:\Windows\System32\svchost.exe'
      CommandLine|contains:
          - 'C:\Program Files (x86)\OKI\sPSV Port Manager\sPSVOpLclSrv.exe'
  selection_base:
      Image|startswith:
          - 'C:\Program Files (x86)\OKI\sPSV Port Manager\'
  selection_indicators:
      Image|endswith:
          - '.exe'
      Image|startswith:
          - 'C:\Program Files (x86)\OKI\sPSV Port Manager\'
      Image|contains:
          - '\\'
  condition: selection AND selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2020-37229 Privilege Escalation OKI sPSV Port Manager version 1.0.41
CVE-2020-37229 Privilege Escalation Unquoted service path vulnerability in sPSVOpLclSrv service

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations

CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 2 IOCs /⚙ 4 Sigma

TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)

CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...

vulnerabilityCVEhigh-severityremote-code-executioncwe-352
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access

CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma