## https://sploitus.com/exploit?id=FA69987A-BDA3-5E29-A19C-B906751DA948
# MSI Center โ MSI NBFoundation Service Vulnerability Advisory
This repository publicly discloses three local privilege escalation / arbitrary
operation vulnerabilities in **MSI Center's MSI NBFoundation Service**
(`MSIAPService.exe`), which runs as `NT AUTHORITY\SYSTEM`.
| CVE | Title | CVSS* | Status |
|-----|-------|-------|--------|
| [CVE-2026-37452](advisories/CVE-2026-37452.md) | LPE to SYSTEM via insecure named pipe `\\.\pipe\MSI_SERVICE_2` (`PC:REXE` arbitrary process execution as SYSTEM) | High | **Fixed** |
| [CVE-2026-37453](advisories/CVE-2026-37453.md) | Arbitrary physical memory & I/O port read/write via the `WinIO` class wrapper exposed over the named pipe (`IO:RMREQ` / `IO:WMREQ` / port R/W) | High | **Fixed** |
| [CVE-2026-37454](advisories/CVE-2026-37454.md) | Arbitrary `HKLM` registry read/write/delete via the `REG` command group (no caller authentication) | High | **Fixed** |
\* Severity is the researcher's assessment; no official CVSS vector was published
for these IDs. All three require local access by an authenticated, low-privileged
user.
> **Affected version:** MSI Center / MSI NBFoundation Service ` (`MSIAPService.exe`).
>
> **Fixed version:** MSI Center **`2.0.70.0`**. Upgrade via MSI Center / MSI's
> official update channel. See [Mitigation](#mitigation).
---
## Summary
The MSI NBFoundation Service exposes a single named pipe,
`\\.\pipe\MSI_SERVICE_2`, to **all Authenticated Users**
(SDDL `D:(A;OICI;GRGW;;;AU)(A;OICI;GA;;;BA)`). The pipe's IPC protocol uses a
3DES-ECB cipher whose key is derived deterministically from the literal string
`msiservice` + a client-supplied application name + the current date โ fully
predictable and trivially reproducible by any local user. Once the handshake is
complete, the service routes commands through `processInputCommand()` into
several command groups (`HS`, `REG`, `WMI`, `WMI2`, `PC`, `IO`), most of which
are executed with **SYSTEM privileges and no caller authentication**.
The three CVEs correspond to three distinct command surfaces reachable through
that one pipe:
1. **CVE-2026-37452** โ the `PC:REXE` command (`RunExecuable`) starts an
arbitrary process with a SYSTEM token via `StartProcessAndBypassUAC`
(`CreateProcessAsUser` on a duplicated *winlogon* token). The requested
target path and arguments are not meaningfully validated before being passed
to the SYSTEM-context process launcher.
2. **CVE-2026-37453** โ the `IO` command group is a direct, unauthenticated
wrapper around the WinIO kernel driver (`WinIo64.dll` / `KernCoreLib64.sys`),
exposing `ReadMemory` / `WriteMemory` (`GetPhysLong`/`SetPhysLong`) and
`ReadPort` / `WritePort` (`GetPortVal`/`SetPortVal`). This grants arbitrary
physical-memory and I/O-port access from an unprivileged user โ a Ring-0
primitive (token theft, arbitrary kernel code execution).
3. **CVE-2026-37454** โ the `REG` command group (`REG:RREQ`/`WREQ`/`DREQ`) lets
any connected client read, write, or delete arbitrary `HKLM` (or `HKCU`)
registry keys, including `...CurrentVersion\Run` for persistence and
`SYSTEM\CurrentControlSet\Services\*` for service hijacking. No caller
authentication is applied to this group.
---
## Affected product
| Field | Value |
|-------|-------|
| Vendor | Micro-Star International (MSI) |
| Product | MSI Center โ MSI NBFoundation Service |
| Component | `MSIAPService.exe` (Windows service, runs as `NT AUTHORITY\SYSTEM`) |
| Affected versions | `
## Disclaimer
This repository is published for defensive and educational purposes after
coordinated disclosure with MSI. The PoCs are minimal reproducers intended for
administrators to verify whether their installation has been patched. **Do not
run the PoCs against systems you do not own or are not authorized to test.**