6th July 2025, Kathmandu
A significant security vulnerability has been uncovered in Lenovo computers, revealing a writable file within the standard Windows directory that can be exploited to bypass AppLocker restrictions.
Lenovo Security Alert Writable File
This flaw, centered around the file C:\Windows\MFGSTAT.zip, is present on numerous Lenovo machines shipped with the manufacturer’s default Windows image.
The Technical Details: A Permission Oversight
The core of this vulnerability lies in the file permissions of MFGSTAT.zip. Security analysis revealed that any authenticated user on an affected system has both write and execute permissions to this file. This seemingly minor oversight becomes critical when considering AppLocker’s default rules, which typically permit any executable within the C:\Windows directory to run. Consequently, the writable MFGSTAT.zip file transforms into a dangerous vector for attackers to circumvent AppLocker’s application whitelisting.
Exploitation Method: Leveraging Alternate Data Streams
Exploiting this vulnerability does not require an attacker to directly overwrite the MFGSTAT.zip file. Instead, attackers can utilize Windows’ alternate data streams (ADS) feature. This allows them to attach a malicious binary as a hidden data stream to MFGSTAT.zip.
For example, an attacker could add an executable using a command like:
type c:\temp\malware.exe > c:\windows\mfgstat.zip:this
The malicious payload can then be executed using a legitimate, whitelisted Windows utility, such as appvlp.exe from Microsoft Office:
“C:\Program Files (x86)\Microsoft Office\root\Client\appvlp.exe” c:\Windows\mfgstat.zip:this
This sophisticated technique enables attackers to run unauthorized code and effectively bypass AppLocker’s security controls without requiring administrative privileges, making it a potent method for privilege escalation and malware execution.
Lenovo’s Response and Mitigation
Upon notification, Lenovo’s Product Security Incident Response Team (PSIRT) acknowledged the issue. However, instead of releasing a software patch, Lenovo has opted to provide guidance recommending the removal of the vulnerable file.
Lenovo has outlined several methods for users and administrators to delete MFGSTAT.zip:
PowerShell: Remove-Item -Path “C:\Windows\MFGSTAT.zip” -Force
Command Prompt: del /A: H C:\Windows\MFGSTAT.zip
Windows File Explorer: Navigate to C:\Windows, enable “show hidden items,” right-click MFGSTAT.zip, and select “Delete.”
It’s important to note that organizations deploying their own custom Windows images are not affected by this vulnerability, as MFGSTAT.zip is specific to Lenovo’s preloaded operating systems.
Lessons Learned for System Security
This discovery underscores the critical importance of thoroughly scrutinizing default file permissions, particularly within system directories. While Lenovo’s provided guidance mitigates the immediate risk, the incident serves as a stark reminder that even seemingly minor oversights in system configuration can have significant security consequences, potentially undermining robust security frameworks like AppLocker.
Lenovo has credited the security researcher for their responsible disclosure and urges all users of affected systems to remove the MFGSTAT.zip file promptly to safeguard their devices.
For more: Lenovo Security Alert Writable File