A significant vulnerability affecting Lenovo machines that allows users to bypass AppLocker security controls through a writeable file located in the Windows system directory.
The issue, discovered by Oddvar Moe from TrustedSec, involves improper file permissions on the MFGSTAT.zip file that comes preinstalled with Lenovo’s Windows operating systems, potentially compromising enterprise security configurations that rely on AppLocker’s default rules.
The vulnerability was first identified in 2019 when Moe discovered unusual file permissions during routine security assessments on a Lenovo X1 Extreme machine.
Initially believed to affect only specific Lenovo models, subsequent investigation in 2025 revealed the issue persists across all Lenovo variants with preloaded Windows operating systems.
The problematic file, located at C:\Windows\MFGSTAT.zip, grants write and execute permissions to any authenticated user, creating a significant security gap in environments utilizing AppLocker’s default configuration.
This trust relationship, combined with the writeable permissions on MFGSTAT.zip, creates an exploitable pathway for malicious actors or unauthorized users to execute arbitrary code while bypassing security controls.
The vulnerability is particularly concerning for enterprise environments where AppLocker serves as a primary defense mechanism against unauthorized software execution.
Lenovo Windows Directory
Exploitation of this vulnerability involves leveraging Windows’ alternate data streams (ADS) functionality to embed executable content within the compromised zip file.
Moe demonstrated the attack by first copying a legitimate binary file, such as Sysinternals’ autoruns.exe, to a temporary directory.
Using the command “type c:\temp\autoruns.exe > c:\windows\mfgstat.zip:this”, attackers can embed the executable as an alternate data stream within the existing zip file.
The embedded payload can then be executed using Microsoft AppVLP.exe utility, a legitimate Windows component that supports alternate data stream execution.
The command “C:\Program Files (x86)\Microsoft Office\root\Client\appvlp.exe c:\Windows\mfgstat.zip:this” successfully launches the hidden executable, effectively bypassing AppLocker restrictions.
This technique is particularly stealthy as it avoids direct file overwriting and leverages built-in Windows functionality that security solutions often trust implicitly.
AppLocker, Microsoft’s application whitelisting solution, typically allows execution of any files located within the C:\Windows directory under its default ruleset are noted.
Lenovo’s Response and Remediation
Following responsible disclosure to Lenovo’s Product Security Incident Response Team (PSIRT), the company acknowledged the vulnerability but declined to issue a traditional security patch.
Instead, Lenovo published guidance document HT517812, recommending complete removal of the MFGSTAT.zip file as the primary remediation strategy.
The company’s rationale centers on the assumption that most enterprise environments deploy custom operating system images rather than relying on manufacturer-preloaded systems.
Lenovo provides three removal methods: PowerShell command “Remove-Item -Path ‘C:\Windows\MFGSTAT.zip’ -Force”, Command Prompt instruction “del /A:H C:\Windows\MFGSTAT.zip”, and manual deletion through Windows File Explorer after enabling hidden file visibility.
For enterprise environments, administrators can implement automated removal through Group Policy Preferences, System Center Configuration Manager (SCCM), or similar deployment tools.
The incident underscores the importance of comprehensive filesystem auditing when implementing application whitelisting solutions, as seemingly innocuous manufacturer-specific files can create unexpected security vulnerabilities that persist across system generations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
