Lenovo Vantage Vulnerabilities Allow Attackers to Escalate Privileges as SYSTEM User
A trio of newly disclosed CVE-2025-6230, CVE-2025-6231 and CVE-2025-6232 underscores how a single trusted OEM utility can become a springboard for full machine compromise.
Lenovo Vantage, shipped by default on most modern ThinkPad and ThinkBook laptops, runs a core service as NT AUTHORITYSYSTEM and dynamically loads C# plug-ins to expose update, hardware-control and telemetry features.
Because these add-ins are expected to talk to the privileged service through a proprietary JSON-over-RPC protocol, any flaw in input validation or path handling instantly widens the attack surface for local adversaries.
Lenovo released patches on 8 July, but unpatched endpoints remain susceptible to one-click privilege escalation that grants complete control of Windows endpoints.
An attacker’s journey begins by bypassing Vantage’s signature-based client authentication.
The service only checks that the connecting process bears a Lenovo digital signature, a control easily defeated by dropping a legitimate signed binary such as FnhotkeyWidget.exe into a writable folder and planting a malicious profapi.dll beside it.
When the trusted executable loads the hijacked DLL, the adversary gains code execution inside a Lenovo-signed context and can speak freely to the RPC interface.
Atredis analysts noted that this single weakness renders the remaining RPC attack surface fully reachable without admin rights.
.webp "Lenovo Vantage Vulnerabilities Allow Attackers to Escalate Privileges as SYSTEM User 3")
This architecture illustrates how each privileged add-in registers contracts that the central service blindly routes.
| CVE ID | Vulnerable component / add-in | Root cause & brief technical description | Attack prerequisites / exploit technique | Privilege gained & post-exploitation impact | Patched version |
|---|---|---|---|---|---|
| CVE-2025-6230 | VantageCoreAddin service handlers | Unsanitised localSetting.Component value is concatenated into SQL inside DeleteTable & DeleteSetting; stacked queries possible in SQLite, enabling ATTACH DATABASE to overwrite arbitrary files on disk |
Any unprivileged process that can talk to the Vantage JSON-RPC pipe (bypass signature check via DLL hijack of Lenovo-signed helper) sends crafted payload to execute SQL injection | Arbitrary file overwrite as SYSTEM → execute payload on next privileged load, yielding full SYSTEM shell | VantageCoreAddin ≥ 1.0.0.199 |
| CVE-2025-6231 | LenovoSystemUpdateAddin | Path-traversal in AppID builds manifest path outside trusted directory and TOCTOU race lets attacker swap a symlink after signature validation but before second read, loading untrusted installer manifest |
Craft Do-DownloadAndInstallAppComponent RPC request with AppID="..\..\..\..\boo2\MLeno" and leverage BaitAndSwitch to race the manifest read; malicious XML then runs installer with attacker-controlled parameters |
Chosen installer runs under Admin or SYSTEM context; attacker appends flags or environment tweaks to spawn arbitrary code as SYSTEM | LenovoSystemUpdateAddin ≥ 1.0.24.32 |
| CVE-2025-6232 | VantageCoreAddin Set-KeyChildren |
Allow-list only checks substring “HKCUSOFTWARELenovo”; attacker supplies path like HKLM\...\Battery1\HKCU\SOFTWARE\Lenovo, which passes filter and targets writable Lenovo power-management keys in HKLM |
Modify DACL on writable HKLM key, create subkey that mirrors fake HKCU path, then add NT registry symlink to actual HKLM service path; subsequent RPC write flips ImagePath of a service to attacker binary |
Service restart or reboot executes attacker binary as SYSTEM, giving persistent full control | VantageCoreAddin ≥ 1.0.0.199 |
The most critical contract, VantageCoreAddin, contains a pair of classic SQL-injection primitives that touch the configuration database stored at C:ProgramDataLenovoVantageSettingsLocalSettings.db.
Since the component name inside the DeleteTable and DeleteSetting handlers is interpolated directly into a DROP TABLE or DELETE FROM statement, stacked queries are possible, letting an adversary overwrite arbitrary files created by SQLite’s ATTACH DATABASE feature:-
string cmd = $"drop table {localSetting.Component}";
sqliteCommand.CommandText = cmd;
sqliteCommand.ExecuteNonQuery(); // CVE-2025-6230Exploiting Registry Misvalidation for SYSTEM-Level Access
CVE-2025-6232 delivers the coup de grâce. The Set-KeyChildren command pretends to restrict writes to HKCUSOFTWARELenovo, but the whitelist check merely searches for the substring, allowing a crafted path such as HKLMSOFTWAREWOW6432NodeLenovoPWRMGRVConfKeysDataBattery1HKCUSOFTWARELenovo.
Several Lenovo power-management keys under that location inherit FullControl for any logged-in user, enabling a writable bridge from an unprivileged to a privileged hive.
After inheritable ACLs are added with PowerShell, the attacker creates a registry symbolic link that maps the faux HKCU path to the real HKLM branch:-
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
L"SOFTWARE\...\Battery1\HKCU\SOFTWARE\Lenovo\Test",
0, nullptr, REG_OPTION_CREATE_LINK, KEY_WRITE, nullptr, &hKey, nullptr);
RegSetValueEx(hKey, L"SymbolicLinkValue", 0, REG_LINK,
(BYTE*)L"\REGISTRY\MACHINE\SOFTWARE\Lenovo",
wcslen(L"\REGISTRY\MACHINE\SOFTWARE\Lenovo") * sizeof(WCHAR)); // CVE-2025-6232Subsequent RPC writes silently modify genuine HKLM service keys; pointing ImagePath to attacker-controlled binaries yields instant SYSTEM execution on reboot or service restart.
As Windows’ symlink mitigation forbids direct HKCU→HKLM links, leveraging Lenovo’s mispermissioned keys elegantly sidesteps the barrier.
Although Lenovo’s July update raises the add-ins to VantageCoreAddin 1.0.0.199 and LenovoSystemUpdateAddin 1.0.24.32, security teams should push the patch urgently, audit registry ACLs for lingering abuse, and consider removing or restricting Vantage entirely in hardened environments.
Until then, any commodity malware able to land on disk can chain these flaws to achieve the highest privileges with almost no user interaction—a sobering reminder that trusted bloatware often hides enterprise-grade backdoors in plain sight.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
