$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.

We can access registerExternalLog without any user credentials.

$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.

CVE-2017-11151 allows remote attackers to upload arbitrary files to the specified directories.

When uploading a file, the FileUploadServlet class does not check the user-controlled fileName parameter using hasVulnerabilityInFileName function.

$_COOKIE[STATIONSID] is not escaped.

RunImpersonated() executes given function in the context of currently logged in user.

CG6Service service has interesting method SetPeLauncherState which allows launch the debugger automatically for every process we want using Image File Execution Options