Divya
2025-07-04 06:25:00
gbhackers.com
A security researcher has uncovered a significant vulnerability affecting Lenovo computers: a writable file within the Windows directory that can be exploited to bypass AppLocker restrictions.
The file in question, C:\Windows\MFGSTAT.zip, is present on many Lenovo machines that ship with the manufacturer’s default Windows image.
This issue, initially thought to affect only a handful of devices, has now been confirmed across a wide range of Lenovo models.
The Technical Issue
The vulnerability centers on the file permissions of MFGSTAT.zip. Using access control checking tools, it was discovered that any authenticated user on the system could write to this file.
A review of the file’s Access Control Lists (ACLs) in Windows Explorer confirmed that standard users have both write and execute permissions.
This is problematic because, under default AppLocker rules, any executable within the C:\Windows directory is allowed to run. As a result, the writable MFGSTAT.zip file becomes a potential vector for attackers to evade AppLocker’s application whitelisting.
Exploitation Method
To exploit this vulnerability, an attacker does not need to overwrite the zip file directly. Instead, they can leverage Windows’ alternate data streams (ADS) feature.
By adding a malicious binary as an alternate data stream to MFGSTAT.zip, an attacker can execute arbitrary code. For example, the following command adds an executable to the ADS:
type c:\temp\autoruns.exe > c:\windows\mfgstat.zip:this
The attacker can then execute the payload using a legitimate Windows utility, such as appvlp.exe from Microsoft Office:
"C:\Program Files (x86)\Microsoft Office\root\Client\appvlp.exe" c:\Windows\mfgstat.zip:this
This technique allows the attacker to run unauthorized code, effectively bypassing AppLocker’s restrictions.

Upon being notified, Lenovo’s Product Security Incident Response Team (PSIRT) acknowledged the issue but opted not to release a patch.
Instead, Lenovo published guidance recommending the removal of the vulnerable file. The company provided several methods for deletion:
- PowerShell:
Remove-Item -Path “C:\Windows\MFGSTAT.zip” -Force - Command Prompt:
del /A:H C:\Windows\MFGSTAT.zip - Windows File Explorer:
Navigate to C:\Windows, show hidden items, right-click MFGSTAT.zip, and select “Delete”.
Lenovo noted that organizations deploying their own Windows images are not affected, as the file is specific to the preloaded Lenovo operating system.
This discovery highlights the importance of scrutinizing default file permissions, especially in system directories.
While Lenovo’s guidance mitigates the risk, the incident serves as a reminder that even minor oversights in system configuration can have significant security consequences.
Lenovo has credited the researcher for responsibly disclosing the issue and encourages all users of affected systems to remove the file promptly.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.