A big safety vulnerability has been found in Lenovo’s preloaded Home windows working methods, the place a writable file within the Home windows listing allows attackers to bypass Microsoft’s AppLocker safety framework.
The difficulty impacts all variants of Lenovo machines working default Home windows installations and poses severe implications for enterprise safety environments.
The vulnerability facilities across the MFGSTAT.zip file positioned within the C:Home windows listing, which possesses incorrect file permissions permitting any authenticated consumer to write down to and execute content material from this location.
Key Takeaways1. Writable MFGSTAT.zip file in Lenovo’s Home windows listing bypasses AppLocker safety as a result of incorrect permissions.2. Makes use of Alternate Information Streams to cover executables within the zip file, then runs them through reputable Home windows processes.3. Impacts all Lenovo machines with preloaded Home windows, found in 2019 however nonetheless current in 2025.4. Delete the file utilizing PowerShell command or enterprise administration instruments – no patch accessible.
This configuration creates a vital safety hole in environments the place AppLocker default guidelines are deployed, as these guidelines usually permit execution from any location inside the Home windows folder construction.
Exploitation Approach Leverages Alternate Information Streams (ADS)
The exploitation approach leverages Alternate Information Streams (ADS), a lesser-known NTFS characteristic that enables attackers to cover executable content material inside seemingly benign recordsdata.
Oddvar Moe from TrustedSec demonstrated the assault by embedding the autoruns.exe utility from Microsoft Sysinternals into the susceptible zip file utilizing the next command sequence:
Following the information stream injection, the malicious payload will be executed utilizing the reputable Microsoft Workplace software loader:
This Dwelling Off The Land Binary (LOLBin) approach exploits trusted Home windows processes to execute unauthorized code whereas evading conventional safety monitoring methods.
The assault vector is especially regarding as a result of it makes use of reputable system parts, making detection considerably more difficult for safety groups.
The vulnerability was initially found in 2019 throughout routine safety assessments however remained unaddressed till Moe’s current re-investigation in 2025.
Upon confirming the persistence of the problem throughout a number of Lenovo machine generations, the researcher contacted Lenovo’s Product Safety Incident Response Group (PSIRT).
Lenovo’s response signifies they won’t launch a software program patch; as an alternative, they may present remediation steerage.
Mitigation Methods
Organizations can implement instant remediation via a number of strategies. Essentially the most simple strategy includes eradicating the susceptible file utilizing PowerShell:
Alternatively, directors can make the most of Command Immediate with the hidden file attribute flag:
Enterprise environments ought to leverage Group Coverage Preferences, System Middle Configuration Supervisor (SCCM), or related administration instruments to make sure systematic removing throughout all affected methods.
This incident highlights the essential significance of complete filesystem auditing when implementing AppLocker deployments, as even minor oversights can create vital safety vulnerabilities that bypass elementary entry controls.
Examine reside malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Strive ANY.RUN now
