Submit #846800: Micro-Star International (MSI) Center NBFoundation Service 2.0.69.0 Privilege Escalationinfo

TitleMicro-Star International (MSI) Center NBFoundation Service 2.0.69.0 Privilege Escalation
Description***NOTICE: This vulnerability is under a coordinated disclosure embargo with MSI until July 1, 2026. I am requesting an Early Reservation of a CVE ID prior to the embargo lifting.*** VULNERABILITY DETAILS: A Local Privilege Escalation (LPE) vulnerability exists in the MSI NBFoundation Service (MSIAPService), a component installed conditionally alongside MSI Center on MSI Notebooks. The vulnerability affects MSI Center up to version x.x.x.x (NBFoundation Service up to version 2.0.2603.3001). It has been patched in MSI Center 2.0.70.0. The MSI Foundation Service runs as LocalSystem and spawns a named pipe server at \\.\pipe\MSI_SERVICE_2. The Discretionary Access Control List (DACL) for this pipe explicitly grants Authenticated Users (AU) read and write access (GRGW). The pipe server parses commands grouped by category. The PC (Process) group includes a REXE command, which allows a client to supply properties (like FileName and Arguments) to populate a ProcessStartInfo object. Before execution, the service calls CertificationPass(string sFilePath), which is merely a stub that returns true unconditionally. Consequently, the service proceeds to call ApplicationLoader.StartProcessAndBypassUAC, which utilizes CreateProcessAsUser to spawn the requested process. Because the pipe is accessible to unprivileged users and lacks any functional authorization or input sanitization, a local attacker can use this primitive to gain SYSTEM-level code execution. VENDOR ACKNOWLEDGMENT: MSI PSIRT has confirmed this vulnerability (Ticket: 1338792), released a patch in version x.x.x.x, and added the researcher ("MrBruh") to their Security Advisor Hall of Fame for May 2026. PROOF OF CONCEPT: Code: https://mrbruh.com/msicenter/lpe_poc.go Video: https://mrbruh.com/msicenter/msicenter_lpe.mp4
Source⚠️ https://csr.msi.com/global/product-security-advisories
User
 MrBruh (UID 98734)
Submission06/03/2026 11:40 (1 month ago)
Moderation07/12/2026 08:17 (1 month later)
StatusDuplicate
VulDB entry374064 [NBFoundation MSI NBFoundation Service 2.0.2506.1201 MSIAPService.exe permission]
Points0

Do you want to use VulDB in your project?

Use the official API to access entries easily!