Context menus are a deeply familiar part of the Windows user experience – right-click, choose an action, and carry on. But what if this everyday interaction could be abused to trigger command injection? In this talk, we reveal two previously unknown command injection vulnerabilities in Windows context menus, affecting both Windows 10 and 11.
We begin by demonstrating a bug in the latest version of Windows 11, and then upgrade it to a one click command injection with no user-supplied scripts or elevated privileges required. From there, we dissect how context menu commands are generated, uncovering a dangerous template engine at the heart of the issue. This investigation leads to the discovery of a second, earlier command injection affecting Windows 10 builds since 2017.
We close with multiple real-world abuse scenarios through social engineering – from USB keys to drive mounts – where a single click can become a code execution vector, and provide mitigation insights for defenders.
