Lenovo is urging users to remove a misconfigured file included in its preloaded Windows operating system images, which could allow local attackers to bypass certain security controls like AppLocker.
The file, MFGSTAT.zip, resides in the C:\Windows directory with improper access permissions, potentially opening the door to execution of unauthorized code.
The issue was discovered by Oddvar Moe, a security researcher affiliated with TrustedSec, who documented the vulnerability on his personal blog. Moe noticed that MFGSTAT.zip was writable by any authenticated user, a critical oversight when the file resides in the trusted Windows directory. This configuration can enable an AppLocker bypass by leveraging Windows Alternate Data Streams (ADS), a long-known tactic for executing malicious binaries in environments that rely on default application whitelisting rules.
During his investigation, Moe demonstrated that a local user could add a malicious payload to the file using an alternate data stream (MFGSTAT.zip:this) and execute it with Microsoft's AppVLP.exe, which is part of Office installations. Although the zip file itself could not be directly overwritten, Moe showed that ADS-based execution was both feasible and effective. His initial discovery dates back to 2019, but the issue still exists on newer Lenovo devices as of 2025.
Lenovo is one of the world's largest PC manufacturers, widely known for its ThinkPad and IdeaPad product lines. Its Windows preloaded images are used by millions of consumers and small businesses, many of whom may be unaware of the hidden file and its implications for endpoint security.
Lenovo has acknowledged the issue in a security bulletin, thanking Moe for his responsible disclosure. The company stopped short of issuing a patch, opting instead to offer manual removal guidance. According to Lenovo, the flaw is specific to devices running the company’s factory preloaded version of Windows and is not present in enterprise environments that deploy custom OS images.
The vulnerable file MFGSTAT.zip, which appears to be a leftover from manufacturing or testing processes, is normally hidden. Its existence in a high-trust directory like C:\Windows makes it a convenient target for bypassing software restriction policies. Because AppLocker typically allows execution from this directory, attackers can exploit it even in relatively hardened environments.
To mitigate the risk, Lenovo recommends removing the file using any of the following methods:
- PowerShell: Remove-Item -Path “C:\Windows\MFGSTAT.zip” -Force
- Command Prompt: del /A:H C:\Windows\MFGSTAT.zip
- File Explorer: Enable viewing of hidden items, navigate to C:\Windows, right-click on MFGSTAT.zip, and choose “Delete.”
Organizations using Lenovo’s preloaded Windows images in production should consider scripting the file's removal across their fleet using management tools such as Group Policy Preferences or SCCM. Additionally, administrators should regularly audit the Windows directory for unexpected files with permissive access control lists (ACLs), especially in environments using AppLocker or other application whitelisting mechanisms.
Leave a Reply