$_COOKIE[STATIONSID] is not escaped.

RunImpersonated() executes given function in the context of currently logged in user.

CG6Service service has interesting method SetPeLauncherState which allows launch the debugger automatically for every process we want using Image File Execution Options

ShadeYou service executes any file without any verification as SYSTEM user.

Inside GenerateConfiguration method there is bug which leads to comand injection

Only files digitally signed by SparkLabs can use this pipe because of usage of new X509Certificate2. But it's possible to bypass this by injecting our DLL into Viscosity.exe.

It's possible to execute arbitrary commands using login form because exec() function is used without using escapeshellarg() or escapeshellcmd().

Using Execute Command File we can execute commands on Scheduled system shutdown and because UPSMan is running as SYSTEM we execute them as Priveleged user.