| Title | Micro-Star International (MSI) Center NBFoundation Service 2.0.69.0 Privilege Escalation |
|---|
| Description | ***NOTICE: This vulnerability is under a coordinated disclosure embargo with MSI until July 1, 2026. I am requesting an Early Reservation of a CVE ID prior to the embargo lifting.***
VULNERABILITY DETAILS:
A Local Privilege Escalation (LPE) vulnerability exists in the MSI NBFoundation Service (MSIAPService), a component installed conditionally alongside MSI Center on MSI Notebooks. The vulnerability affects MSI Center up to version x.x.x.x (NBFoundation Service up to version 2.0.2603.3001). It has been patched in MSI Center 2.0.70.0.
The MSI Foundation Service runs as LocalSystem and spawns a named pipe server at \\.\pipe\MSI_SERVICE_2. The Discretionary Access Control List (DACL) for this pipe explicitly grants Authenticated Users (AU) read and write access (GRGW).
The pipe server parses commands grouped by category. The PC (Process) group includes a REXE command, which allows a client to supply properties (like FileName and Arguments) to populate a ProcessStartInfo object. Before execution, the service calls CertificationPass(string sFilePath), which is merely a stub that returns true unconditionally. Consequently, the service proceeds to call ApplicationLoader.StartProcessAndBypassUAC, which utilizes CreateProcessAsUser to spawn the requested process. Because the pipe is accessible to unprivileged users and lacks any functional authorization or input sanitization, a local attacker can use this primitive to gain SYSTEM-level code execution.
VENDOR ACKNOWLEDGMENT:
MSI PSIRT has confirmed this vulnerability (Ticket: 1338792), released a patch in version x.x.x.x, and added the researcher ("MrBruh") to their Security Advisor Hall of Fame for May 2026.
PROOF OF CONCEPT:
Code: https://mrbruh.com/msicenter/lpe_poc.go
Video: https://mrbruh.com/msicenter/msicenter_lpe.mp4 |
|---|
| Source | ⚠️ https://csr.msi.com/global/product-security-advisories |
|---|
| User | MrBruh (UID 98734) |
|---|
| Submission | 06/03/2026 11:40 (1 month ago) |
|---|
| Moderation | 07/12/2026 08:17 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 374064 [NBFoundation MSI NBFoundation Service 2.0.2506.1201 MSIAPService.exe permission] |
|---|
| Points | 0 |
|---|