Skip to main content
TechnologyJul 6, 2026· 3 min read

A Huge Flaw in MSI Center Put Millions of PCs at Risk: Fix Now Available

A Huge Flaw in MSI Center Put Millions of PCs at Risk: Fix Now Available

A security researcher has identified a high-severity vulnerability within MSI Center, the software pre-installed on most notebooks and desktops assembled by the Taiwanese manufacturer. The issue would have allowed any authenticated user of the system to obtain LocalSystem privileges, the highest level available on Windows, paving the way for possible privilege escalation and arbitrary code execution.

The analysis started from the offline installer of the application, extracted using dedicated tools after identifying the packaging system used. The researcher then decompiled about 170 executables and libraries present in the package, subsequently focusing on the most interesting components to identify any weaknesses in inter-process communication.

The Problem Resided in the Notebook Foundation Service

The vulnerability was found in the Notebook Foundation service, which creates a named pipe at system startup, a mechanism used by Windows to allow communication between different processes. According to the researcher, this interface was accessible to any authenticated user and offered a series of particularly sensitive commands. Among these were operations to read, modify, and delete the registry with LocalSystem privileges, interact with Windows Management Instrumentation (WMI) to change system settings, including those related to Windows Defender, as well as the ability to start or terminate processes with elevated privileges.

In practice, a user without administrative rights could exploit the service to execute programs as LocalSystem, thus gaining full control of the machine. Malware could have utilized the same technique to disable Windows Defender protections or execute payloads with maximum privileges.

Proprietary Protocol and 3DES Encryption Did Not Prevent Exploitation

MSI had implemented a proprietary protocol to communicate with the named pipe, requiring that messages were encrypted using 3DES, an algorithm now considered outdated from a security perspective. The researcher explained that to exploit the vulnerability, it was sufficient to register a client with an arbitrary name, encrypt the command intended for the service using that name as a key, and send it through the named pipe. The service would then automatically attempt to decrypt the message by trying all registered clients until it found the correct one, ultimately executing the requested command with LocalSystem privileges.

The proof of concept developed by the researcher merely launches cmd.exe to demonstrate privilege escalation, but it is highlighted that malware could employ the same technique to execute PowerShell scripts or other arbitrary code.

During checks, it also emerged that the vulnerability could be exploited remotely via SMB within the local network, turning it into a case of Remote Code Execution (RCE). In this scenario, however, the attacker must have valid credentials to authenticate on the target system, as the named pipe only accepts requests from authenticated users.

Patch Available, but CVE Still Pending

In his analysis, the researcher also recounted a curious episode that occurred during the reporting of the vulnerability. The email address of the MSI PSIRT team initially returned an error indicating a full mailbox, implying that security reports were not being delivered. It later emerged that the message had, in fact, been received by the company.

MSI prepared a fix just two days after the report, integrating it into the MSI Center 2.0.70.0 release, published on June 1, 2026. The assignment of a CVE identifier has not yet been completed. MSI suggested that the researcher request it through MITRE or a third-party CNA authority; the request has been forwarded to VulDB, where it is still under review due to the high number of reports received.

According to the timeline published by the researcher, the vulnerability was discovered on May 9, 2026, reported the following day, fixed by MSI on May 12, and made public at the end of the embargo on July 1, 2026. Users of MSI Center are therefore urged to check that they have installed at least version 2.0.70.0, which includes the fix for the vulnerability.