MSI Center Grants SYSTEM Privileges to Any Authenticated User

Researcher "mrbruh" discovered that MSI Center's Notebook Foundation service creates a named pipe \\.\pipe\MSI_SERVICE_2 accessible to any authenticated user. The pipe exposes commands that run with SYSTEM privileges, including:

  • REXE: Execute any executable as LocalSystem
  • KEXE: Kill any process
  • Registry: Read, write, delete any registry key
  • WMI: Modify system settings (e.g., Windows Defender exclusions)

Technical Deep Dive

The vulnerability lies in the service's custom protocol. It uses 3DES encryption with the client name as the key. The service brute-forces decryption by trying all registered client names until one succeeds. Since any authenticated user can register a client, an attacker can encrypt a malicious command and send it to the pipe.

Proof of Concept

The researcher demonstrated privilege escalation by launching cmd.exe as SYSTEM. The exploit requires:

  1. Open a connection to \\.\pipe\MSI_SERVICE_2
  2. Register with a random client name (e.g., ABCD123)
  3. Encrypt the PC:REXE command with 3DES using the client name as key
  4. Send the encrypted payload

The service decrypts it and runs the command. The researcher noted that the exploit can also be triggered remotely via SMB on a LAN, but requires valid credentials.

MSI's Response

When the researcher reported via PSIRT, the mailbox was full and returned a quota error. After contacting MSI through Gamers Nexus, MSI acknowledged the issue and released a patch in MSI Center 2.0.70.0 within two days. MSI could not issue a CVE, so the researcher requested one via VulDB (still pending as of writing).

Timeline

  • 09/05/2026: Vulnerability discovered
  • 10/05/2026: Reported to MSI (email bounced)
  • 12/05/2026: MSI confirms and creates patch
  • 01/06/2026: MSI Center 2.0.70.0 released
  • 03/06/2026: CVE-2026-XXXX requested via VulDB
  • 01/07/2026: Embargo ends

Implications

This vulnerability is especially dangerous because MSI Center is preinstalled on many laptops and desktops. Malware can disable Windows Defender or gain persistence without admin privileges. Users should update to MSI Center 2.0.70.0 or later immediately.

How to Protect Yourself

  1. Update MSI Center to version 2.0.70.0 or later
  2. If you don't use MSI Center, consider uninstalling it
  3. Monitor for suspicious processes connecting to named pipes
  4. Restrict access to named pipes using security descriptors if possible