CVE-2020-36154

A local attacker with unprivileged access to the system can exploit two weaknesses in the VUEApplicationWrapper service. First, the service binary path "C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe" is unquoted, so Windows will search for executables in each space-separated segment (e.g., "C:\Pearson.exe", "C:\Pearson VUE\VUE.exe") [ref_id=1]. Second, the "C:\Pearson VUE" directory has Everyone FullControl permissions, allowing the attacker to place a malicious executable named "VUE.exe" or "Pearson.exe" in that path [ref_id=1]. When the service starts (AUTO_START), the planted Trojan horse runs with the privileges of the VUEService account, which has administrative rights [ref_id=1].

The vulnerable component is the VUEApplicationWrapper service installed by the Pearson VUE VTS Installer 2.3.1911. The service binary path is "C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe" — an unquoted path with spaces [ref_id=1]. Additionally, the "%SYSTEMDRIVE%\Pearson VUE" directory grants Everyone Full Control permissions [ref_id=1].

No patch is published in the bundle. The advisory [ref_id=1] identifies two root causes: the unquoted service path and the insecure Everyone FullControl ACL on the "Pearson VUE" directory. Remediation would require the vendor to either quote the BINARY_PATH_NAME in the service definition and restrict directory permissions to only authorized users (e.g., SYSTEM and Administrators), or both. Without a vendor-supplied fix, users should manually apply these hardening steps.

The bundle references an Exploit-DB entry (49143) but does not include its text. The researcher's readme [ref_id=1] provides detection commands but no step-by-step reproduction. Therefore, reproduction steps cannot be reconstructed from the supplied material alone.