A crucial vulnerability in Lenovo’s Dispatcher drivers has come beneath the highlight after researchers launched a proof-of-concept exploit that demonstrates privilege escalation on affected Home windows methods.
Recognized as CVE-2025-8061, this flaw stems from inadequate entry controls within the drivers, probably permitting native attackers to execute arbitrary code with elevated privileges.
Found by safety agency Quarkslab, the difficulty impacts Lenovo shopper notebooks operating older driver variations, elevating alarms for customers who haven’t utilized current patches.
Vulnerability Breakdown
The Lenovo Dispatcher drivers, variations 3.0 and three.1, deal with system processes on sure shopper notebooks, however they expose an IOCTL interface with out correct entry restrictions.
This oversight, labeled beneath CWE-782, permits an authenticated native consumer to govern the driving force and set off code execution in kernel mode, resulting in full system compromise.
The Nationwide Vulnerability Database charges it with a CVSS 4.0 rating of seven.3, citing excessive impacts on confidentiality, integrity, and availability, although it requires native entry and excessive assault complexity.
Affected methods embody these with LnvMSRIO.sys driver as much as model 3.1.0.36, generally present in Lenovo laptops preloaded with Home windows 10 or older Home windows 11 builds with out default mitigations.
Newer Lenovo Dispatcher 3.2 and above are unaffected, as Lenovo patched the flaw in model 3.1.0.41 launched in September 2025.
Importantly, enabling Home windows Core Isolation Reminiscence Integrity blocks exploitation, a function lively by default on Home windows 11 Lenovo methods, lowering real-world threat for up to date customers.
AspectDetailsAffected ProductsLenovo Dispatcher Driver 3.0, 3.1 (LnvMSRIO.sys as much as 3.1.0.36) on shopper notebooksImpact AssessmentLocal privilege escalation to kernel mode, potential full system controlExploit PrerequisitesAuthenticated native consumer entry; Core Isolation disabled; particular Home windows construct (e.g., 24H2 with out HVCI)CVSS 3.1 ScoreN/A (CVSS 4.0: 7.3 – Excessive)
Exploitation In Motion
Safety researcher Luis Casvella from Quarkslab detailed the exploit in a September 2025 weblog put up, highlighting how attackers can leverage the driving force’s MSR learn primitive to leak kernel addresses like KiSystemCall64 through the LSTAR register (MSR 0xC0000082).
This info permits bypassing ASLR and SMEP protections, with the PoC demonstrating shellcode for token stealing to impersonate the SYSTEM course of.
A follow-up GitHub repository by symeonp gives a working PoC that spawns a SYSTEM shell on Home windows 11 24H2, hardcoded for construct 26100.1, requiring changes for offsets like KiSystemCall64 at 0x6b2b40 and CR4 manipulation to disable SMEP (bit 20).
The approach entails studying MSRs to find syscalls, injecting shellcode that navigates kernel buildings akin to _KPCR and _EPROCESS for token manipulation, and restoring registers like CR4 and LSTAR to keep away from crashes.
Casvella’s evaluation notes 4 associated bugs within the driver, emphasizing BYOVD techniques the place signed drivers evade DSE for post-exploitation.
Whereas no wild exploits are reported, the general public PoC underscores the benefit of adaptation for crimson teamers or malware authors concentrating on unpatched Lenovo gadgets.
Lenovo urges rapid updates to Dispatcher Driver 3.1.0.41 or later through Home windows Replace or their help website to shut the hole.
For added safety, customers ought to confirm Core Isolation in Home windows Safety beneath System Safety, toggling Reminiscence Integrity on whether it is disabled, which blocks kernel exploits with out efficiency hits on trendy {hardware}.
Organizations ought to scan for weak drivers utilizing instruments like these from AhnLab or monitor for IOCTL anomalies on endpoints.
The disclosure timeline reveals Quarkslab’s coordinated efforts with Lenovo since June 2025, culminating in patches regardless of delays.
As BYOVD stays a staple in superior threats, this incident highlights the necessity for vigilant driver administration in enterprise environments. With the PoC now public, immediate motion is crucial to safeguard in opposition to privilege escalation chains in actual assaults.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
