Although Lenovo’s July update raises the add-ins to VantageCoreAddin 1.0.0.199 and LenovoSystemUpdateAddin 1.0.24.32, security teams should push the patch urgently, audit registry ACLs for lingering abuse, and consider removing or restricting Vantage entirely in hardened environments. Lenovo Vantage, shipped by default on most modern ThinkPad and ThinkBook laptops, runs a core service as NT AUTHORITY\SYSTEM and dynamically loads C# plug-ins to expose update, hardware-control and telemetry features. Because these add-ins are expected to talk to the privileged service through a proprietary JSON-over-RPC protocol, any flaw in input validation or path handling instantly widens the attack surface for local adversaries. The service only checks that the connecting process bears a Lenovo digital signature, a control easily defeated by dropping a legitimate signed binary such as FnhotkeyWidget.exe into a writable folder and planting a malicious profapi.dll beside it. Subsequent RPC writes silently modify genuine HKLM service keys; pointing ImagePath to attacker-controlled binaries yields instant SYSTEM execution on reboot or service restart. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Until then, any commodity malware able to land on disk can chain these flaws to achieve the highest privileges with almost no user interaction—a sobering reminder that trusted bloatware often hides enterprise-grade backdoors in plain sight. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Several Lenovo power-management keys under that location inherit FullControl for any logged-in user, enabling a writable bridge from an unprivileged to a privileged hive. Lenovo released patches on 8 July, but unpatched endpoints remain susceptible to one-click privilege escalation that grants complete control of Windows endpoints. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. A trio of newly disclosed CVE-2025-6230, CVE-2025-6231 and CVE-2025-6232 underscores how a single trusted OEM utility can become a springboard for full machine compromise. This architecture illustrates how each privileged add-in registers contracts that the central service blindly routes. As Windows’ symlink mitigation forbids direct HKCU→HKLM links, leveraging Lenovo’s mispermissioned keys elegantly sidesteps the barrier. When the trusted executable loads the hijacked DLL, the adversary gains code execution inside a Lenovo-signed context and can speak freely to the RPC interface. Atredis analysts noted that this single weakness renders the remaining RPC attack surface fully reachable without admin rights. The Set-KeyChildren command pretends to restrict writes to HKCU\SOFTWARE\Lenovo, but the whitelist check merely searches for the substring, allowing a crafted path such as HKLM\SOFTWARE\WOW6432Node\Lenovo\PWRMGRV\ConfKeys\Data\Battery1\HKCU\SOFTWARE\Lenovo.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 07:15:13 +0000