Safety researchers at Atredis have uncovered a number of privilege escalation vulnerabilities in Lenovo Vantage, a pre-installed administration platform on Lenovo laptops that handles machine updates, configurations, and system well being monitoring.
These flaws, tracked beneath CVEs 2025-6230, 2025-6231, and 2025-6232, permit unprivileged customers to bypass authentication mechanisms and execute code with SYSTEM-level privileges, doubtlessly resulting in full system compromise.
Lenovo launched patches on July 8, 2025, as a part of advisory LEN-196648, addressing all recognized points.
Lenovo Vantage Flaw
The vulnerabilities stem from Lenovo Vantage’s modular structure, which contains a central SYSTEM-privileged service speaking through RPC endpoints with pluggable add-ins written in C#.
This design exposes JSON-based requests routed to add-ins outlined in XML information beneath %ProgramDatapercentLenovoVantageAddins, the place execution contexts fluctuate, with 5 add-ins operating elevated.
Authentication depends on digital signature verification of shopper processes, a standard however bypassable management seen in distributors like Dell and Asus.
Attackers can exploit this by hijacking a signed Lenovo binary, corresponding to FnhotkeyWidget.exe, via DLL search order hijacking in a writable listing, injecting code like a profapi.dll payload to entry RPC interfaces.
Delving into the specifics, CVE-2025-6230 entails SQL injection flaws within the VantageCoreAddin, which manages core system features and shops settings in a SYSTEM-protected SQLite database at C:ProgramDataLenovoVantageSettingsLocalSettings.db.
Instructions like DeleteTable and DeleteSetting fail to sanitize the “Part” subject, enabling arbitrary SQL execution through stacked queries supported by the .NET SQLite library.
Exploitation Methods
Whereas direct code execution is proscribed as a consequence of disabled user-defined features, attackers can create information with managed content material, facilitating additional escalation.
CVE-2025-6232 exploits a flawed registry whitelist within the Set-KeyChildren command, supposed to limit writes to HKCUSOFTWARELenovo however susceptible to substring matching through IndexOf checks.
By crafting paths like HKLMSOFTWARELenovoHKCUSOFTWARELenovo and leveraging writable Lenovo-specific HKLM keys (e.g., beneath SOFTWAREWOW6432NodeLenovoPWRMGRVConfKeysData), adversaries can modify DACLs for inheritance, create symbolic hyperlinks utilizing RegCreateKeyEx and RegSetValueEx, and redirect writes to privileged areas.
This permits tampering with service picture paths, permitting arbitrary binaries to run elevated upon service begin.
CVE-2025-6231 combines path traversal and time-of-check-to-time-of-use (TOCTOU) within the LenovoSystemUpdateAddin through the Do-DownloadAndInstallAppComponent command’s InstallOny motion.
Based on the Report, Unsanitized AppID fields allow listing traversal to load manifests from attacker-controlled paths, whereas non-atomic validation in GetAppInformation utilizing XMLFileValidator for signature checks adopted by File.ReadAllText permits symlink swaps through instruments like BaitAndSwitch.
This hundreds untrusted manifests, enabling management over installer parameters for admin or SYSTEM contexts, corresponding to injecting arguments into PowerShell-launched processes or leveraging installers like MSI and Inno Setup for elevated execution with out UAC bypass requirements in some flows.
To mitigate, customers ought to confirm updates: VantageCoreAddin to model 1.0.0.199 or later, LenovoSystemUpdateAddin to 1.0.24.32 or increased, Lenovo Vantage to 10.2501.20.0, and Lenovo Industrial Vantage to twenty.2506.39.0.
These will be checked in add-in XML information or set up paths. The findings spotlight dangers in vendor software program counting on signature-based auth and underscore the necessity for atomic operations, enter sanitization, and stricter path validations in privileged companies.
Keep Up to date on Every day Cybersecurity Information. Observe us on Google Information, LinkedIn, and X.
