What is the CVSS score of CVE-2020-36879?

CVE-2020-36879 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2020-36879?

Yes, a public proof-of-concept exploit is available for CVE-2020-36879. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2020-36879?

Within 24 hours: Inventory all systems running Flexsense DiskBoss and isolate affected machines from production networks if possible; disable or stop DiskBoss services immediately if not business-critical. Within 7 days: Contact Flexsense for patch availability and timeline; implement network segmentation to restrict service access; consider alternative disk management solutions. Within 30 days: Upgrade to patched version immediately upon availability; conduct forensic analysis for signs of exploitation; review service startup logs and process execution for suspicious activity.

CVE-2020-36879

EUVD-2020-30825 HIGH

Unquoted Search Path or Element (CWE-428)

2025-12-05 disclosure@vulncheck.com

RCE

8.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.5 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2020-30825

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

PoC Detected

Dec 08, 2025 - 18:26 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 18:15 nvd

HIGH 8.5

DescriptionCVE.org

Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands.

Analysis

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication.

RemediationAI

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

CVE-2020-36879 vulnerability details – vuln.today

Back