A trio of newly disclosed CVE-2025-6230, CVE-2025-6231 and CVE-2025-6232 underscores how a single trusted OEM utility can grow to be a springboard for full machine compromise.
Lenovo Vantage, shipped by default on most trendy ThinkPad and ThinkBook laptops, runs a core service as NT AUTHORITYSYSTEM and dynamically masses C# plug-ins to show replace, hardware-control and telemetry options.
As a result of these add-ins are anticipated to speak to the privileged service by way of a proprietary JSON-over-RPC protocol, any flaw in enter validation or path dealing with immediately widens the assault floor for native adversaries.
Lenovo launched patches on 8 July, however unpatched endpoints stay prone to one-click privilege escalation that grants full management of Home windows endpoints.
An attacker’s journey begins by bypassing Vantage’s signature-based shopper authentication.
The service solely checks that the connecting course of bears a Lenovo digital signature, a management simply defeated by dropping a official signed binary comparable to FnhotkeyWidget.exe right into a writable folder and planting a malicious profapi.dll beside it.
When the trusted executable masses the hijacked DLL, the adversary positive aspects code execution inside a Lenovo-signed context and may converse freely to the RPC interface.
Atredis analysts famous that this single weak spot renders the remaining RPC assault floor totally reachable with out admin rights.
Lenovo Vantage Structure (Supply – Atredis)
This structure illustrates how every privileged add-in registers contracts that the central service blindly routes.
CVE IDVulnerable part / add-inRoot trigger & transient technical descriptionAttack stipulations / exploit techniquePrivilege gained & post-exploitation impactPatched versionCVE-2025-6230VantageCoreAddin service handlersUnsanitised localSetting.Part worth is concatenated into SQL inside DeleteTable & DeleteSetting; stacked queries potential in SQLite, enabling ATTACH DATABASE to overwrite arbitrary information on diskAny unprivileged course of that may speak to the Vantage JSON-RPC pipe (bypass signature test by way of DLL hijack of Lenovo-signed helper) sends crafted payload to execute SQL injectionArbitrary file overwrite as SYSTEM → execute payload on subsequent privileged load, yielding full SYSTEM shellVantageCoreAddin ≥ 1.0.0.199CVE-2025-6231LenovoSystemUpdateAddinPath-traversal in AppID builds manifest path exterior trusted listing and TOCTOU race lets attacker swap a symlink after signature validation however earlier than second learn, loading untrusted installer manifestCraft Do-DownloadAndInstallAppComponent RPC request with AppID=”……..boo2MLeno” and leverage BaitAndSwitch to race the manifest learn; malicious XML then runs installer with attacker-controlled parametersChosen installer runs beneath Admin or SYSTEM context; attacker appends flags or atmosphere tweaks to spawn arbitrary code as SYSTEMLenovoSystemUpdateAddin ≥ 1.0.24.32CVE-2025-6232VantageCoreAddin Set-KeyChildrenAllow-list solely checks substring “HKCUSOFTWARELenovo”; attacker provides path like HKLM…Battery1HKCUSOFTWARELenovo, which passes filter and targets writable Lenovo power-management keys in HKLMModify DACL on writable HKLM key, create subkey that mirrors faux HKCU path, then add NT registry symlink to precise HKLM service path; subsequent RPC write flips ImagePath of a service to attacker binaryService restart or reboot executes attacker binary as SYSTEM, giving persistent full controlVantageCoreAddin ≥ 1.0.0.199
Probably the most important contract, VantageCoreAddin, accommodates a pair of traditional SQL-injection primitives that contact the configuration database saved at C:ProgramDataLenovoVantageSettingsLocalSettings.db.
Because the part identify contained in the DeleteTable and DeleteSetting handlers is interpolated straight right into a DROP TABLE or DELETE FROM assertion, stacked queries are potential, letting an adversary overwrite arbitrary information created by SQLite’s ATTACH DATABASE characteristic:-
string cmd = $”drop desk {localSetting.Part}”;
sqliteCommand.CommandText = cmd;
sqliteCommand.ExecuteNonQuery(); // CVE-2025-6230
Exploiting Registry Misvalidation for SYSTEM-Stage Entry
CVE-2025-6232 delivers the coup de grâce. The Set-KeyChildren command pretends to limit writes to HKCUSOFTWARELenovo, however the whitelist test merely searches for the substring, permitting a crafted path comparable to HKLMSOFTWAREWOW6432NodeLenovoPWRMGRVConfKeysDataBattery1HKCUSOFTWARELenovo.
A number of Lenovo power-management keys beneath that location inherit FullControl for any logged-in person, enabling a writable bridge from an unprivileged to a privileged hive.
After inheritable ACLs are added with PowerShell, the attacker creates a registry symbolic hyperlink that maps the fake HKCU path to the actual HKLM department:-
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
L”SOFTWARE…Battery1HKCUSOFTWARELenovoTake a look at”,
0, nullptr, REG_OPTION_CREATE_LINK, KEY_WRITE, nullptr, &hKey, nullptr);
RegSetValueEx(hKey, L”SymbolicLinkValue”, 0, REG_LINK,
(BYTE*)L”REGISTRYMACHINESOFTWARELenovo”,
wcslen(L”REGISTRYMACHINESOFTWARELenovo”) * sizeof(WCHAR)); // CVE-2025-6232
Subsequent RPC writes silently modify real HKLM service keys; pointing ImagePath to attacker-controlled binaries yields immediate SYSTEM execution on reboot or service restart.
As Home windows’ symlink mitigation forbids direct HKCU→HKLM hyperlinks, leveraging Lenovo’s mispermissioned keys elegantly sidesteps the barrier.
Though Lenovo’s July replace raises the add-ins to VantageCoreAddin 1.0.0.199 and LenovoSystemUpdateAddin 1.0.24.32, safety groups ought to push the patch urgently, audit registry ACLs for lingering abuse, and contemplate eradicating or limiting Vantage solely in hardened environments.
Till then, any commodity malware capable of land on disk can chain these flaws to attain the very best privileges with nearly no person interplay—a sobering reminder that trusted bloatware usually hides enterprise-grade backdoors in plain sight.
Examine reside malware conduct, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now
