Shift Happens: Two Built-in Command Injection Vulnerabilities Discovered in Windows Context Menus

Security researcher p0dalirius has disclosed the discovery of two built-in command injection vulnerabilities embedded within Windows context menus, revealing a native attack surface that exists by design within the operating system itself. The findings, documented in a technical release titled "Shift Happens," demonstrate how default Windows functionality can be weaponized without requiring third-party software—raising urgent questions about the security assumptions enterprises make about out-of-the-box Windows environments.

The vulnerabilities leverage the inherent behavior of Windows context menus, which execute commands when users interact with files or folders through right-click actions. By exploiting these built-in mechanisms, an attacker with access to a system could potentially execute arbitrary commands through seemingly routine user interactions. The technical details outline how the injection points function within the operating system's native architecture, making remediation more complex than a typical software patch—these are features embedded in Windows' design, not traditional bugs.

The disclosure has circulated rapidly across cybersecurity communities, drawing attention from security professionals evaluating the real-world risk posture of Windows endpoints. The implications are significant for enterprise environments where context menu interactions are routine and often unmonitored. Security teams will need to assess whether these built-in injection vectors can be mitigated through Group Policy restrictions, registry modifications, or behavioral monitoring solutions. The research underscores a broader challenge in operating system security: distinguishing between intended functionality and exploitable design, particularly when the feature has existed in production systems for years without public awareness of its attack potential.