CVE-2020-36928

Published: Jan 16, 2026Modified: Feb 9, 2026

8.5

Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions.

Affected (1)

Products: Brother: Bragent

Brother

1 product

Bragent

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Brother Bragent	Version 1.38

Related CWEs

CWE-428

Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

References (4)

https://help.brother-usa.com/app/answers/detail/a_id/174732/~/what-is-bragent%3F

Source: disclosure@vulncheck.com

Product

https://www.exploit-db.com/exploits/50010

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://www.vulncheck.com/advisories/brother-bragent-wbaagentclient-unquoted-service-path

Source: disclosure@vulncheck.com

Third Party Advisory

https://www.exploit-db.com/exploits/50010

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline (13)

2/9/2026

5 changes

Initial Analysis - Reference Type

03:04 PM

- -
+ VulnCheck: https://www.vulncheck.com/advisories/brother-bragent-wbaagentclient-unquoted-service-path Types: Third Party Advisory

Initial Analysis - Reference Type

03:04 PM

- -
+ VulnCheck: https://www.exploit-db.com/exploits/50010 Types: Exploit, Third Party Advisory

Initial Analysis - Reference Type

03:04 PM

- -
+ CISA-ADP: https://www.exploit-db.com/exploits/50010 Types: Exploit, Third Party Advisory

Initial Analysis - Reference Type

03:04 PM

- -
+ VulnCheck: https://help.brother-usa.com/app/answers/detail/a_id/174732/~/what-is-bragent%3F Types: Product

Initial Analysis - CPE Configuration

03:04 PM

- -
+ OR
          *cpe:2.3:a:brother:bragent:1.38:*:*:*:*:*:*:*

1/16/2026

8 changes

CVE Modified - Reference

05:15 PM

- -
+ https://www.exploit-db.com/exploits/50010

New CVE Received - Reference

12:16 AM

- -
+ https://www.vulncheck.com/advisories/brother-bragent-wbaagentclient-unquoted-service-path

New CVE Received - Reference

12:16 AM

- -
+ https://www.exploit-db.com/exploits/50010

New CVE Received - Reference

12:16 AM

- -
+ https://help.brother-usa.com/app/answers/detail/a_id/174732/~/what-is-bragent%3F

New CVE Received - CWE

12:16 AM

- -
+ CWE-428

New CVE Received - CVSS V3.1

12:16 AM

- -
+ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

New CVE Received - CVSS V4.0

12:16 AM

- -
+ AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

New CVE Received - Description

12:16 AM

- -
+ Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions.