ShadeYou service executes any file without any verification as SYSTEM user.

Inside GenerateConfiguration method there is bug which leads to comand injection

Only files digitally signed by SparkLabs can use this pipe because of usage of new X509Certificate2. But it's possible to bypass this by injecting our DLL into Viscosity.exe.

It's possible to execute arbitrary commands using login form because exec() function is used without using escapeshellarg() or escapeshellcmd().

Using Execute Command File we can execute commands on Scheduled system shutdown and because UPSMan is running as SYSTEM we execute them as Priveleged user.

You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().

We can pass __e value which is base64 encoded and unfortunatelly those datas are not cleaned.

We can set command which will be executed when monitor get remote shutdown command.