• Category: Security
  • Status: confirmed
  • Sources: researcher write-up, HN discussion
  • Summary: A researcher (mrbruh) documented a local privilege escalation in MSI Center: the MSI Notebook Foundation service exposes a named pipe (MSI_SERVICE_2) reachable by any authenticated user, offering registry access, WMI manipulation, and executable execution as LocalSystem. The service encrypts commands with 3DES keyed on a registered client name and brute-forces decryption against registered names, so an attacker registers an arbitrary name, encrypts a PC:REXE command, and has it executed as SYSTEM. MSI shipped a fix in MSI Center 2.0.70.0 (2026-06-01) about two days after the report; a CVE is under review at VulDB.
  • Why it matters: MSI Center is preinstalled on widely sold MSI hardware, so an any-authenticated-user path to SYSTEM is a broad local-escalation exposure until users update.
  • Follow-up: Track CVE assignment and confirmation that 2.0.70.0 fully removes the named-pipe command path.

Send feedback on this story