A vulnerability in K7 Ultimate Security allows low-privileged users to gain SYSTEM-level privileges by exploiting named pipes with weak access controls. Discovered by researcher Lucas Laise during an unrelated investigation, this flaw enables users to manipulate registry settings without triggering User Account Control (UAC) prompts. Initial testing showed limited functionality for non-admin users in version 17.0.2045, but the vulnerability hinges on the ability to change settings without proper checks. The exploitation process involved capturing communication through specific named pipes, like \.\pipe\K7MailProxyV1 and \.\pipe\K7TSMngrService1. Attackers could replay these captured packets using PowerShell, allowing them to tamper with configurations, disable real-time scans, or whitelist malicious software. Researchers also exploited the Image File Execution Options to run arbitrary code as SYSTEM during fake updates. A crafted script facilitated the creation of new admin users and streamlined the exploitation process. K7 has released three patches in response to this vulnerability. The first patch attempted to add caller validation to K7TSMngrService1, but attackers found ways to bypass it through DLL mapping. Subsequent patches aimed to block injections into protected processes, but researchers identified methods to circumvent these protections by renaming signed binaries. The vulnerability's responsible disclosure spanned several months, with K7 acknowledging that full access control list (ACL) enforcement will be deferred to a future release. Users are advised to update their software promptly and remain vigilant for further developments.