Security
MSI Center named-pipe flaw grants SYSTEM to any local user
- Category: Security
- Status: confirmed
- Sources: researcher write-up, HN discussion
- Summary: A researcher (mrbruh) documented a local privilege escalation in MSI Center: the MSI Notebook Foundation service exposes a named pipe (
MSI_SERVICE_2) reachable by any authenticated user, offering registry access, WMI manipulation, and executable execution as LocalSystem. The service encrypts commands with 3DES keyed on a registered client name and brute-forces decryption against registered names, so an attacker registers an arbitrary name, encrypts aPC:REXEcommand, and has it executed as SYSTEM. MSI shipped a fix in MSI Center 2.0.70.0 (2026-06-01) about two days after the report; a CVE is under review at VulDB. - Why it matters: MSI Center is preinstalled on widely sold MSI hardware, so an any-authenticated-user path to SYSTEM is a broad local-escalation exposure until users update.
- Follow-up: Track CVE assignment and confirmation that 2.0.70.0 fully removes the named-pipe command path.