A critical security vulnerability has been identified in Lenovo’s preloaded Windows operating systems, where a writable file within the Windows directory allows attackers to circumvent Microsoft’s AppLocker security framework. This issue affects all Lenovo machines running default Windows installations and poses significant risks to enterprise security environments.
Understanding the Vulnerability
The core of this vulnerability lies in the `MFGSTAT.zip` file located in the `C:\Windows\` directory. This file has incorrect permissions, permitting any authenticated user to write to and execute content from this location. Such a configuration creates a substantial security gap, especially in environments where AppLocker default rules are deployed, as these rules typically allow execution from any location within the Windows folder structure.
Exploitation Through Alternate Data Streams
Attackers can exploit this vulnerability by leveraging Alternate Data Streams (ADS), a feature of the NTFS file system that allows data to be associated with a file without affecting its primary content. This technique enables malicious code to be hidden within seemingly benign files.
Security researcher Oddvar Moe from TrustedSec demonstrated this attack by embedding the `autoruns.exe` utility from Microsoft Sysinternals into the vulnerable zip file using the following command sequence:
“`
type C:\Tools\autoruns.exe > C:\Windows\MFGSTAT.zip:autoruns.exe
“`
After injecting the data stream, the malicious payload can be executed using a legitimate Windows process, such as the Microsoft Office application loader:
“`
C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE /embedding C:\Windows\MFGSTAT.zip:autoruns.exe
“`
This method, known as a Living Off The Land Binary (LOLBin) technique, exploits trusted Windows processes to execute unauthorized code, effectively evading traditional security monitoring systems. The use of legitimate system components in this manner makes detection significantly more challenging for security teams.
Historical Context and Lenovo’s Response
The vulnerability was initially discovered in 2019 during routine security assessments but remained unaddressed until Moe’s recent re-investigation in 2025. Upon confirming the persistence of the issue across multiple Lenovo device generations, the researcher contacted Lenovo’s Product Security Incident Response Team (PSIRT).
Lenovo’s response indicates that they will not release a software patch; instead, they will provide remediation guidance. This approach underscores the importance of proactive security measures by users and administrators to mitigate potential risks.
Mitigation Strategies
Organizations can implement immediate remediation through several methods:
1. Removing the Vulnerable File Using PowerShell:
Administrators can delete the `MFGSTAT.zip` file using the following PowerShell command:
“`
Remove-Item -Path C:\Windows\MFGSTAT.zip -Force
“`
2. Using Command Prompt with Hidden File Attribute Flag:
Alternatively, the file can be removed using Command Prompt:
“`
del C:\Windows\MFGSTAT.zip
“`
3. Enterprise Management Tools:
In enterprise environments, administrators should leverage Group Policy Preferences, System Center Configuration Manager (SCCM), or similar management tools to ensure systematic removal across all affected systems.
This incident highlights the crucial importance of comprehensive filesystem auditing when implementing AppLocker deployments. Even minor oversights can create significant security vulnerabilities that bypass fundamental access controls.
Broader Implications and Recommendations
The discovery of this vulnerability is part of a broader pattern of security issues associated with Lenovo’s pre-installed software and system configurations. For instance, in 2015, researchers identified a privilege escalation vulnerability in Lenovo’s System Update application, which allowed attackers to execute arbitrary code with system-level privileges. Similarly, in 2019, a flaw in the Lenovo Solution Centre was found to enable attackers to gain administrative privileges within minutes.
These recurring vulnerabilities underscore the need for users and organizations to:
– Regularly Audit System Configurations: Conduct thorough reviews of system settings and file permissions to identify and rectify potential security gaps.
– Update and Patch Systems Promptly: Ensure that all software, especially pre-installed applications, are updated to their latest versions to benefit from security patches and improvements.
– Implement Robust Security Policies: Develop and enforce security policies that limit the execution of unauthorized code and monitor for unusual activities within the system.
– Educate Users: Provide training and resources to users about potential security threats and best practices for maintaining system integrity.
By adopting these proactive measures, organizations can enhance their security posture and mitigate the risks associated with such vulnerabilities.
