A significant security flaw has been identified in Lenovo’s Dispatcher drivers, potentially enabling local attackers to execute arbitrary code with elevated privileges on affected Windows systems. This vulnerability, designated as CVE-2025-8061, arises from inadequate access controls within the drivers, posing a substantial risk to users operating on older driver versions.
Understanding the Vulnerability
The Lenovo Dispatcher drivers, specifically versions 3.0 and 3.1, are integral to managing system processes on certain consumer notebooks. However, these versions expose an Input/Output Control (IOCTL) interface without implementing proper access restrictions. This oversight, categorized under Common Weakness Enumeration (CWE) 782, allows authenticated local users to manipulate the driver, potentially leading to code execution in kernel mode and complete system compromise.
The National Vulnerability Database has assigned this flaw a Common Vulnerability Scoring System (CVSS) 4.0 score of 7.3, indicating high severity. The assessment highlights significant impacts on confidentiality, integrity, and availability, although exploitation requires local access and involves a high level of attack complexity.
Affected Systems
Systems impacted by this vulnerability include those utilizing the LnvMSRIO.sys driver up to version 3.1.0.36. These drivers are commonly found in Lenovo laptops preloaded with Windows 10 or earlier builds of Windows 11 that lack default security mitigations. Notably, Lenovo Dispatcher versions 3.2 and above are not affected, as the company addressed the flaw in version 3.1.0.41, released in September 2025.
An important mitigation measure is the activation of Windows Core Isolation Memory Integrity, a feature enabled by default on Windows 11 Lenovo systems. This security feature effectively blocks exploitation attempts, thereby reducing the real-world risk for users with updated systems.
Technical Breakdown of the Exploit
Security researcher Luis Casvella from Quarkslab provided an in-depth analysis of the exploit in a blog post dated September 2025. Casvella demonstrated how attackers could leverage the driver’s Model-Specific Register (MSR) read primitive to leak kernel addresses, such as KiSystemCall64, via the LSTAR register (MSR 0xC0000082). This technique facilitates the bypassing of Address Space Layout Randomization (ASLR) and Supervisor Mode Execution Prevention (SMEP) protections.
The proof-of-concept (PoC) exploit includes shellcode designed for token stealing, enabling the impersonation of the SYSTEM process. A subsequent GitHub repository by user symeonp offers a functional PoC that spawns a SYSTEM shell on Windows 11 24H2. This exploit is hardcoded for build 26100.1 and requires adjustments for offsets like KiSystemCall64 at 0x6b2b40, as well as manipulation of the CR4 register to disable SMEP (bit 20).
The exploitation process involves:
1. Reading MSRs to Locate Syscalls: By accessing specific MSRs, attackers can identify the locations of system calls within the kernel.
2. Injecting Shellcode: The attacker injects shellcode that navigates through kernel structures, such as _KPCR and _EPROCESS, to manipulate tokens and escalate privileges.
3. Restoring Registers: To prevent system crashes, the exploit restores registers like CR4 and LSTAR to their original states after execution.
Casvella’s analysis also identified four related bugs within the driver, emphasizing the Bring Your Own Vulnerable Driver (BYOVD) tactic. This approach involves using signed drivers to bypass Driver Signature Enforcement (DSE) for post-exploitation activities.
Implications and Recommendations
While there have been no reports of this vulnerability being exploited in the wild, the public availability of the PoC exploit underscores the ease with which malicious actors could adapt it for nefarious purposes. This situation highlights the critical need for users to take immediate action to secure their systems.
Recommended Actions:
1. Update Dispatcher Drivers: Lenovo strongly advises users to update to Dispatcher Driver version 3.1.0.41 or later. Updates can be obtained through Windows Update or directly from Lenovo’s support website.
2. Enable Core Isolation Memory Integrity: Users should verify that Core Isolation Memory Integrity is enabled. This can be done by navigating to Windows Security under Device Security and ensuring that Memory Integrity is toggled on. This feature effectively blocks kernel exploits without impacting performance on modern hardware.
3. Monitor for Vulnerable Drivers: Organizations should utilize tools like those from AhnLab to scan for vulnerable drivers. Additionally, monitoring for IOCTL anomalies on endpoints can help detect potential exploitation attempts.
Disclosure Timeline
The vulnerability was discovered by Quarkslab, which coordinated with Lenovo starting in June 2025. Despite some delays, Lenovo released patches in September 2025 to address the issue. This timeline underscores the importance of prompt vulnerability management and the need for organizations to stay vigilant in updating and securing their systems.
Conclusion
The release of a proof-of-concept exploit for the CVE-2025-8061 vulnerability in Lenovo’s Dispatcher drivers serves as a stark reminder of the ongoing challenges in cybersecurity. Users and organizations must prioritize updating their systems and enabling available security features to mitigate the risk of exploitation. Proactive measures and continuous monitoring are essential to safeguard against potential privilege escalation attacks that could compromise system integrity and security.
