Lenovo Pre-installed Writable File Vulnerability Could Bypass Windows AppLocker Protection
Security researchers have identified a critical permission misconfiguration on Lenovo PCs involving a pre-installed file mfgstat.zip. This flaw allows standard users to write to the file and potentially bypass Windows AppLocker, a built-in application control feature designed to block unauthorized software execution. Attackers can leverage this weakness to execute malicious code via trusted binaries without requiring administrative privileges, posing significant risks to enterprise endpoint security.
Vulnerability Details
• The vulnerable file resides at C:\Windows\mfgstat.zip, part of Lenovo’s pre-installed Windows image.
• The file’s Access Control List (ACL) grants authorized standard users full read, write, and execute permissions, violating AppLocker’s default assumption that protected system directories are non-writable by standard users.
• An attacker can inject malicious code into mfgstat.zip and execute it using approved Windows binaries like AppLVP.exe, effectively bypassing AppLocker’s execution control.
• This attack requires no administrator privileges, exploiting AppLocker’s trust in files located in the Windows directory.
Mitigation Recommendations
• Audit endpoints, especially Lenovo systems, to detect the presence of mfgstat.zip.
• Manually delete the file or automate removal via enterprise management tools such as SCCM or Group Policy.
• Review and tighten AppLocker policies to ensure proper permission settings on protected directories.
• Adopt custom Windows images for enterprise deployments instead of vendor-preinstalled ones to avoid embedded security risks.
• Deploy behavioral monitoring and intrusion detection systems to detect misuse of legitimate binaries for code execution.