"auto-execution" bug -- similar to ShellShock?

Hi.

If you open cmd.exe and type (paste) the command below:

{“results”:[“q”, "
rfd

“||
calc
||”,"I love
rfd
"]}

the process calc.exe will be executed with no consent whatsoever. (not even ENTER is necessary).

CIS hasn’t signaled me anything.

Can anyone else test this?

EDIT: I also made a video to demonstrate:

CIS is the nanny of program behaviour not the nanny of user behaviour. The user is allowed to basically do everything where unknown applications that do the same thing will get limited by the sandbox or the user will get alerted by HIPS alert(s).