Share
## https://sploitus.com/exploit?id=2CC212A7-032B-5922-B8BE-86F87D50EA33
# CVE-2026-50454 SYSTEM Shell PoC

Proof of concept for CVE-2026-50454, a Windows User Interface Core elevation-of-privilege vulnerability fixed in the July 2026 security updates.

The PoC starts from a normal, non-elevated process belonging to a local administrator and opens an interactive command prompt as `NT AUTHORITY\SYSTEM`. It does not demonstrate elevation from a standard, non-administrator account.


## Demo

[![CVE-2026-50454 SYSTEM shell demonstration](media/cve50454-demo.gif)](media/cve50454.webm)


## Root cause

On vulnerable builds, `Windows.UI.Storage.dll` allows a zero-capability AppContainer to call the private `AppResolverActivationArgsFactory` without the required authorization check. The attacker supplies an AppResolver provider for the `ms-settings` protocol and calls `SetAsDefault`, causing Windows to create a valid protected association for the attacker's ProgID.

Launching the auto-elevated `fodhelper.exe` then invokes the registered handler with a High-integrity administrator token. The PoC uses that token to create a temporary service, whose process launches the final interactive SYSTEM shell.

The update adds capability checks for `applicationDefaults` or `shellExperience` before the factory creates the AppResolver object. A zero-capability AppContainer is rejected with `E_ACCESSDENIED` (`0x80070005`).

Microsoft describes the public CVE impact as arbitrary system-file deletion. This PoC exercises a capability-check failure in the patched component and does not reproduce the published deletion primitive.

## Requirements

- x64 Windows 11 on a vulnerable build
- A local administrator account running a normal, non-elevated PowerShell window
- UAC and auto-elevation enabled
- An interactive console session
- No existing per-user `ms-settings` default association
- Visual Studio or Visual Studio Build Tools with Desktop development with C++ and a Windows SDK

Validated on Windows 11 25H2 build `26200.8737` with `Windows.UI.Storage.dll` version `10.0.26100.8737`. Build `26200.8875` rejects the trigger.

## Usage

Open a normal PowerShell window. Do not use **Run as administrator**.

```powershell
.\build.ps1
Set-ExecutionPolicy -Scope Process Bypass
.\run.ps1
```

A Command Prompt titled `CVE-2026-50454 SYSTEM Shell` should open. Verify the token inside it:

```cmd
whoami
whoami /groups
```

Expected identity:

```text
nt authority\system
```

Close the SYSTEM Command Prompt manually when finished. The scripts remove the temporary service, protocol registration, protected association, and AppContainer profile during normal cleanup.

## Build

The repository contains source code only. `build.ps1` discovers an installed Visual Studio toolchain and builds the three required x64 executables:

```powershell
.\build.ps1
```

Generated `.exe`, `.obj`, and `.pdb` files are excluded from version control.

## Fixed behavior

On a patched build, the trigger log at `C:\Users\Public\CVE50454\appcontainer_result.txt` should contain:

```text
CREATE_ARGS_HRESULT=0x80070005
```

No protected `ms-settings` association or elevated process should be created.