1010.cx

  • Axis Communications Vulnerability Exposes Azure Storage Account Credentials

    ·

    , ,

    A critical vulnerability in Axis Communications’ Autodesk Revit plugin has exposed Azure Storage Account credentials, creating significant security risks for customers and potentially enabling supply chain attacks targeting the architecture and engineering industry.

    The vulnerability stems from hardcoded credentials embedded within signed Dynamic Link Libraries (DLLs) distributed to customers through the plugin’s Microsoft Installer (MSI) package.

    The security flaw was discovered in July 2024 when Trend Micro’s VirusTotal rules detected Azure Shared Access Signature (SAS) tokens within a digitally signed DLL named “AzureBlobRestAPI.dll”.

    The affected component was issued to AEC Advanced Engineering Computation Aktiebolag, an Autodesk partner specializing in AutoCAD and Revit platform consulting.

    This discovery initiated a months-long remediation process involving multiple vulnerability reports and patches.

    The exposed credentials provided unauthorized read and write access to three Azure storage accounts belonging to Axis Communications, a Swedish multinational company specializing in network video solutions and surveillance technology.

    These accounts contained critical assets including MSI installers for the Axis Plugin for Autodesk Revit and Revit Family Architecture (RFA) files used by customers for building information modeling projects.

    The vulnerability’s impact was amplified by the potential for attackers to replace legitimate files with malicious versions, effectively weaponizing the trusted distribution mechanism.

    Trend Micro analysts identified additional security concerns beyond the credential exposure. Through their Zero Day Initiative (ZDI) research, they discovered multiple remote code execution vulnerabilities in Autodesk Revit that could be triggered by importing malicious RFA files.

    This combination of vulnerabilities created a dangerous attack vector where threat actors could potentially compromise the storage accounts, upload crafted RFA files, and achieve mass compromise of Axis Communications customers using Autodesk Revit software.

    The discovery highlights broader supply chain security risks within the architectural and engineering software ecosystem.

    The plugin’s design flaws demonstrate how trusted third-party integrations can become attack vectors when proper security controls are not implemented.

    Technical Analysis of the Vulnerability

    The vulnerability’s technical foundation lies in poor credential management practices within the plugin’s architecture.

    Researchers found cleartext Azure SAS tokens and shared access key pairs for two Azure storage accounts named “axisfiles” and “axiscontentfiles” embedded within a private method called “internalSetEnvironment” of the class “AzureBlobRestAPI.DataTypes.Classes.Global”.

    The credentials granted extensive privileges including full read, write, delete, list, add, create, update, process, and execute permissions across the storage accounts.

    Compromising Axis Communications and Axis customers via supply chain attack (Source – Trend Micro)

    This level of access far exceeded the principle of least privilege, enabling attackers to not only access existing content but also modify distribution mechanisms and upload malicious files.

    When Axis Communications initially attempted to remediate the issue with version 25.3.710, they implemented code obfuscation using tools like Eazfuscator.

    However, this approach proved inadequate as the obfuscated credentials could be easily de-obfuscated using publicly available tools such as de4dot.

    The obfuscation merely provided security through obscurity rather than addressing the fundamental design flaw of embedding credentials in client-side code.

    The vulnerability’s persistence was further complicated by the storage accounts containing historical versions of the plugin installers.

    Even after implementing read-only SAS tokens in version 25.3.711, researchers discovered that attackers could still access previous plugin versions containing the overly permissive credentials, effectively bypassing the remediation efforts until all historical versions were properly secured.

    Axis Communications has confirmed that the vulnerabilities have been fully patched in the current version 25.3.718, with all previously reported issues resolved.

    The company has also taken proactive steps to notify affected partners and customers, emphasizing that the Autodesk Revit plugin is provided only to select partners and is generally not accessible for public use.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Axis Communications Vulnerability Exposes Azure Storage Account Credentials appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Boeing unveils concept for Army unmanned tiltrotor aircraft amid military push for drones

    ·

    Boeing is designing a tiltrotor drone wingman concept to support the Army’s helicopter fleet, similar to the Air Force’s push for collaborative combat aircraft, as the Army rushes to field unmanned drones.

    Renderings for the CxR aircraft revealed by Boeing on Monday at the Association of the U.S. Army’s conference in Washington. The company’s pitch would place unmanned vertical-takeoff-and-landing aircraft alongside Army helicopters in combat and cargo operations. 

    “We see a lot of demand in that RSTA mission: reconnaissance, surveillance, target acquisition and attack,” Chris Speights, chief engineer for Boeing’s vertical lift division, told Defense One on the sidelines of AUSA. “How the Army is using the Apache is evolving. We expect it to continue to evolve, and this gives them options and flexibility with how they conduct those missions going forward.”

    Boeing’s push to design an Army-focused drone wingman follows the Air Force’s progress on fielding its own collaborative combat aircraft. Company engineers said that effort, along with  its own MQ-28 Ghost Bat drone wingman program for the Royal Australian Air Force, informed their concept.

    “It's definitely relevant,” Speights said of those CCA programs. “We actually expect to leverage a lot of those lessons learned, even some of the core technologies around the autonomy and mission capability, we expect to leverage those on the CxR.”

    [[Related Posts]]

    Speights said the CxR aims to be in the group five category of drones, weighing in between 5,000 to 7,000 pounds with the ability to carry between 1,000 and 2,000 pounds of payload.

    Last year, the Army scrapped plans for its Future Attack Reconnaissance Aircraft, or FARA, program due in part to a pivot to unmanned systems. Army Secretary Dan Driscoll proposed a sweeping transformation initiative earlier this year highlighting the need for autonomous systems.

    “When we look at those FARA requirements, I think this lines up really well with what the customer was seeing … but with much better affordability,” Speights said. “We're looking at mission sets and capability gaps.”

    Renderings of the CxR show a profile similar to Boeing’s V-22 Osprey, a manned tiltrotor aircraft flown by multiple service branches. Osprey variants have been plagued by historic mishaps including 65 deaths since the 1990s, and the program has grappled with longstanding gear and engine issues. Speights said the CxR would be run on a single gas turbine engine, unlike the V-22.

    “This architecture will have a simplified approach,” Speights said. “We would centralize the propulsion system so you would have a very simple set of drive shafts and gearboxes that transmits power to the rotors.”

    Boeing’s competitors are also touting their recent ambitious unmanned projects. Last week, Sikorsky announced NOMAD, its offering of a rotor blown wing vertical take-off and landing drone. The Lockheed Martin subsidiary also unveiled a pilot-less UH-60L helicopter at AUSA for unmanned cargo missions. 

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • The Army wants AI to help man artillery and air defense units

    ·

    The Army’s artillery community envisions a future where artificial intelligence will scan the battlefield and tell soldiers where they need to aim the missiles. Now they just have to wait for the technology to mature.

    Language learning models aren’t at the point where they can do spatial reasoning or real-time situational awareness and deliver a plan to a soldier to act on. But the Army is working on what they want that to eventually look like, said Maj. Gen. Frank Lozano, who heads Program Executive Office Missiles and Space. 

    “What it's really tied to is an ability to process a large amount of data tied to multiple massed threats that we might see in the air battlespace, right?” Lozano said Monday at the AUSA annual meeting in Washington, D.C. “The enemy is never going to come at us in the way that we expect or plan for them to come at us. Right?"

    An AI-based tool that maps out where the enemy is and what they’re trying to send onto the battlefield will help the Army stay one step ahead, he said.

    “And so being able to prosecute targets very quickly using AI-enabled fire control, even minimal manning in some of these engagement operations centers, is going to be key for us to be able to win these future fights from an air missile defense and long-range prison fires perspective,” he said.

    The hitch will be getting the human decisionmakers up to speed on what’s been happening on the battlefield when they’ve been relying on AI for ongoing surveillance. 

    “What I offer is, in the near-term, we continue to wait for technology to completely catch up,” said Col. Charles Kean, who commands the 1st Multi-Domain Task Force at Joint Base Lewis-McChord, Washington. “You still can have a human out in the loop, or in the loop, or however you want to look at it.”

    But you won’t need as many people, Lozano said, and they won’t need to spend as much time.

    “The whole basis of this is reducing the human cognitive load, reducing the manpower footprint, enabling more data processing to occur,” he said.

    So Lozano put it to industry to help the Army close the gap between what they believe is possible and what currently exists.

    “And it's actually not really about maintaining pace, right?” Lozano said. “We've got to get ahead of the enemy in these areas, and so we're pushing you very hard—and a lot of you are helping us get there, whether you're using the capabilities and getting us that feedback from the forward edge, or you're in industry helping us develop these capabilities so that we can adapt it in a much more rapid fashion.”

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Homeland pivot isn’t affecting troops in South Korea, so far: commander

    ·

    The Pentagon’s latest strategic documents knock the Indo-Pacific off its perch as the Defense Department’s priority theater, but that guidance has so far not reduced funding or training opportunities for soldiers stationed in South Korea, the head of 8th Army told reporters Monday at the AUSA annual meeting in Washington, D.C. 

    And the command is keeping soldiers fed and trained during the government shutdown, which was set to cut off troops’ pay on Wednesday. President Donald Trump on Saturday said he had directed Defense Secretary Pete Hegseth to use “all available funds” to send Oct. 15 paychecks to service members.

    “They’re being fed this morning. They’re still training,” Lt. Gen. Hank Taylor said of troops under his command, but noted his civilian workforce has been furloughed. 

    In the longer term, it remains to be seen how the National Defense Strategy’s shift to the Western Hemisphere will impact funding in the Indo-Pacific. While China is now the Pentagon’s second priority, U.S. troops on the Korean peninsula are more specialized to training with Republic of Korea forces to deter North Korea. 

    The Trump administration had considered shifting 4,500 troops from the peninsula to Guam, the Wall Street Journal reported in May. 

    But for now, Taylor said, he’s not feeling any marked changes in resources or prioritization. 

    “I have everything I need, when I think about live-fire training, live-flight training, maneuver training, driving our vehicles, instructors, all those things,” he said. “Nothing that I've had to change any of my readiness here.”

    And while the Pentagon is pushing Asian allies to spend more on their own defense, that hasn’t been coupled with any American withdrawal from the region.

    “We are ready. We are modernizing, right? We have capabilities forward in the Indo-Pacific region,” Taylor said. 

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Leveraging Microsoft Edge Internet Explorer Mode to Gain Access to Users’ Devices

    ·

    , ,

    The cybersecurity landscape witnessed a concerning development as threat actors discovered a novel attack vector targeting Microsoft Edge’s Internet Explorer mode functionality.

    This sophisticated campaign emerged in August 2025, exploiting the inherent security weaknesses of legacy browser technology to compromise unsuspecting users’ devices.

    The attack represents a significant evolution in threat actor tactics, demonstrating their ability to weaponize seemingly benign compatibility features.

    The attack methodology combines social engineering with zero-day exploits targeting Internet Explorer’s Chakra JavaScript engine. Cybercriminals initially direct victims to carefully crafted spoofed websites that appear legitimate, creating a false sense of security.

    Once victims arrive at these malicious sites, attackers deploy a strategic flyout notification requesting users to reload the page in Internet Explorer mode, effectively transitioning them from Edge’s secure Chromium-based environment to IE’s vulnerable legacy framework.

    This transition proves critical as Internet Explorer lacks the robust security architecture and defense-in-depth mitigations present in modern browsers.

    The legacy environment exposes users to risks that contemporary Chromium-based browsers are specifically engineered to prevent, creating an ideal exploitation opportunity for malicious actors.

    Microsoft Edge security analysts identified the threat after receiving credible intelligence about active exploitation campaigns.

    The research team discovered that attackers were systematically targeting the compatibility feature designed to support legacy business applications, older security camera interfaces, and government portals that still rely on outdated technologies like ActiveX and Flash.

    Chakra Engine Exploitation and Privilege Escalation

    The attack’s technical sophistication lies in its multi-stage exploitation process targeting the Chakra JavaScript engine.

    After successfully convincing victims to switch to Internet Explorer mode, attackers deploy unpatched zero-day exploits specifically crafted for IE’s JavaScript execution environment.

    The Chakra engine, despite Microsoft’s previous hardening efforts, remains vulnerable to memory corruption attacks that enable remote code execution.

    Following successful code execution within the browser context, threat actors implement a second exploit designed for privilege escalation.

    This secondary payload allows attackers to break out of the browser’s sandboxed environment, gaining elevated system privileges and full device control.

    The dual-exploit approach ensures comprehensive system compromise, enabling malware installation, lateral movement within corporate networks, and sensitive data exfiltration.

    Microsoft responded by restricting IE mode access, removing high-risk entry points including toolbar buttons and context menus while maintaining enterprise policy support for legitimate business needs.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Hackers Leveraging Microsoft Edge Internet Explorer Mode to Gain Access to Users’ Devices appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • North Korean Hackers Attacking Developers with 338 Malicious npm Packages

    ·

    , ,

    North Korean state-sponsored threat actors have intensified their supply chain attacks against software developers through a sophisticated campaign dubbed “Contagious Interview,” deploying 338 malicious npm packages that have accumulated over 50,000 downloads.

    The operation represents a dramatic escalation in the weaponization of the npm registry, targeting Web3, cryptocurrency, and blockchain developers through elaborate social engineering schemes disguised as legitimate job recruitment processes.

    The campaign operates on a multi-stage attack framework that begins with reconnaissance on professional platforms like LinkedIn.

    Threat actors pose as recruiters or hiring managers, screening potential victims for technical expertise and financial opportunity.

    They specifically target developers working with cryptocurrency wallets, blockchain infrastructure, and Web3 applications, seeking to compromise systems likely to contain valuable credentials, private keys, and monetizable secrets.

    Lockheed Martin Cyber Kill Chain framework (Source – Socket.dev)

    Socket.dev analysts identified the malware following reports from victims who received fraudulent job opportunities that included coding assignments containing malicious dependencies.

    Job-offer lure (Source – Socket.dev)

    The researchers discovered that threat actors have evolved their tooling from direct BeaverTail malware droppers to more sophisticated HexEval, XORIndex, and encrypted loaders that execute during package installation or import processes.

    The malicious packages employ typosquatting techniques targeting everyday dependencies that developers install routinely, particularly in Node.js environments.

    Examples include variations of popular packages such as epxreso/epxresso/epxressoo (Express), dotevn (dotenv), and boby_parser (body-parser).

    This strategy exploits the deadline pressure common in technical interviews where candidates execute “npm install” commands without thorough scrutiny.

    Advanced Encryption and Persistence Mechanisms

    The latest wave introduces encrypted loaders that demonstrate a significant evolution in the attackers’ technical capabilities.

    These loaders utilize Node.js crypto functions with hardcoded AES-256-CBC encryption keys and initialization vectors, storing encrypted payloads in seemingly innocuous files like LICENSE documents.

    The malware reconstructs obfuscated BeaverTail malware in memory before typically fetching the InvisibleFerret backdoor for persistent system access.

    The encrypted loader implementation splits decryption logic across multiple files within the same package.

    Analysis of the redux-saga-sentinel package reveals how the loader imports Node crypto in lib/utils/smtp-connection/parse.js while storing the encrypted payload in the LICENSE file.

    During runtime, the loader decrypts the hex ciphertext to recover stage-two JavaScript code, which maintains obfuscation to evade static analysis detection.

    This technique enables in-memory execution while avoiding disk-based artifacts that traditional security tools might detect.

    The recovered payload establishes command and control communication over HTTP/HTTPS protocols, often using legitimate hosting platforms like Vercel to blend into normal developer traffic patterns, making detection significantly more challenging for security teams monitoring network communications.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post North Korean Hackers Attacking Developers with 338 Malicious npm Packages appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Defense One Radio, Ep. 196: “The Wounded Generation” by David Nasaw

    ·

    Apple Podcasts

    Guest:

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New WhatsApp Worm Attacks Users with Banking Malware to Users Login Credentials

    ·

    , ,

    Security researchers have identified a sophisticated malware campaign that exploits WhatsApp’s messaging platform to deploy banking trojans targeting Brazilian financial institutions and cryptocurrency exchanges.

    The self-propagating worm, which emerged on September 29, 2025, demonstrates advanced evasion techniques and multi-stage infection chains designed to circumvent modern security defenses.

    The threat has already affected over 400 customer environments across more than 1,000 endpoints, highlighting the campaign’s widespread reach and effectiveness.

    The attack begins when victims receive a malicious ZIP archive through WhatsApp Web from a previously infected contact.

    The social engineering component is particularly clever, as the message claims the attached content can only be viewed on a computer, effectively forcing recipients to download and execute the malware on desktop systems rather than mobile devices.

    WhatsApp message sent from an infected WhatsApp contact (Source – Sophos)

    This strategic approach ensures the malware operates in an environment where it can establish persistence and deploy its full payload capabilities.

    Sophos analysts identified the malware’s sophisticated infection mechanism during their investigation of multiple incidents across Brazil.

    The threat actors demonstrate deep understanding of Windows security architecture and PowerShell capabilities, implementing obfuscation techniques that allow the malware to operate undetected for extended periods.

    The campaign’s technical sophistication suggests involvement of experienced cybercriminals with substantial resources and knowledge of Brazilian banking systems.

    Multi-Stage PowerShell Infection Chain

    The malware’s execution begins with a malicious Windows LNK file hidden within the ZIP archive. When executed, the LNK file contains an obfuscated Windows command that constructs and runs a Base64-encoded PowerShell command.

    Infection chain (Source – Sophos)

    This first-stage PowerShell script covertly launches an Explorer process that downloads the next-stage payload from command and control servers, including hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com, and sorvetenopote[.]com.

    The second-stage PowerShell command demonstrates the malware’s defensive evasion capabilities through explicit security control modifications.

    Portuguese-language comments embedded within the PowerShell code reveal the author’s intentions to “add an exclusion in Microsoft Defender” and “disable UAC” (User Account Control).

    These modifications create a permissive environment where the malware can operate without triggering security alerts or requiring user interaction for privileged operations.

    The campaign delivers two distinct payloads depending on the infected system’s characteristics: a legitimate Selenium browser automation tool with matching ChromeDriver, and a banking trojan named Maverick.

    The Selenium payload enables attackers to control active browser sessions, facilitating WhatsApp web session hijacking and enabling the worm’s self-propagation mechanism.

    Meanwhile, the Maverick banking trojan monitors browser traffic for connections to Brazilian banks and cryptocurrency exchanges, deploying additional .NET-based banking malware when financial targets are accessed.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post New WhatsApp Worm Attacks Users with Banking Malware to Users Login Credentials appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Anduril debuts Eagle Eye, a modular, AI-powered soldier headset

    ·

    Anduril will display its entry into the Army’s Soldier Borne Mission Command program starting Monday at the AUSA annual meeting, CEO Palmer Lucky told reporters Thursday.

    Dubbed Eagle Eye, the program aims to produce four different head sets, two of which will be in the Anduril booth, with two more still in earlier phases of development.

    “We've been working on augmented-reality technology for warfighters since near the beginning of Anduril,” said Luckey, who invented the Oculus Rift virtual-reality headset over a decade ago. “It was one of the very first things that we started investing in, primarily building the software back end that would be able to properly feed a combat heads-up display.”

    About two years later, Eagle Eye has variants for day or night operations, or different levels of ballistic protection. Anduril is working with companies like Oakley and Ops Core, but the plan is to integrate even more partners into a headset with modular capabilities that can be customized to the mission. 

    “I don't have to have different variants for each type of user,” Luckey said. “I can have one primary thing and then the changes to it are just—well, that guy has somewhat different sensors, those clip on. That guy is using a different display system—he can just use that one instead of the other. So 90-percent commonality is what we're kind of shooting for with modularity.”

    For example, a hyperspectral camera would be a great feature for an explosive ordnance disposal technician looking for bomb residue, but it’s not something every soldier will need. So that EOD specialist can clip one onto Eagle Eye, but there won’t be a universal suite of sensors for everyone. 

    The Eagle Eye offering that Luckey thinks will be the best contender for SBMC is a set of ballistic augmented-reality glasses that integrate with the helmet, so the processor and battery pack are worn on the helmet rather than in front of the eyes, making them feel much lighter than other VR glasses by distributing the weight around the head.

    “I would probably call it the primary variant right now, given that it’s the one that has the clearest path to deployment at large scale with a large customer,” Luckey said. “And when I say large scale, I mean, like the scale I care about, which is hundreds of thousands of units.”

    The other variant is “a full-ballistic, full-blast-protection, full-face helmet with a night-focused mixed-reality reprojection system,” he said. “So not optically transparent, because we're trying to build a ballistic visor that is rifle- and frag-rated across the entire thing, so no slits that people can shoot your eyes through.”

    The fully sealed helmet should also offer better protection from traumatic brain injury, he said.

    In addition to competing to make the hardware for SBMC, Anduril already has the Soldier Borne Mission Command-Architecture contract to administer the software that controls the headsets.

    “My dream is, maybe 10 years from now, that there are dozens of different providers who are making Eagle Eye-compatible headsets, and they're all able to share a common architecture, common data format, a lot of the same interconnects and standards around energy and data transmission,” he said. “And if we're able to do that, then I think we're actually going to get augmented reality to the military in a way that makes it useful for the first time, for people who are actually on the ground.”

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • PoC Exploit Unveiled for Lenovo Code Execution Vulnerability Enabling Privilege Escalation

    ·

    , , ,

    A critical vulnerability in Lenovo’s Dispatcher drivers has come under the spotlight after researchers released a proof-of-concept exploit that demonstrates privilege escalation on affected Windows systems.

    Identified as CVE-2025-8061, this flaw stems from insufficient access controls in the drivers, potentially allowing local attackers to execute arbitrary code with elevated privileges.

    Discovered by security firm Quarkslab, the issue affects Lenovo consumer notebooks running older driver versions, raising alarms for users who haven’t applied recent patches.

    Vulnerability Breakdown

    The Lenovo Dispatcher drivers, versions 3.0 and 3.1, handle system processes on certain consumer notebooks, but they expose an IOCTL interface without proper access restrictions.

    This oversight, classified under CWE-782, enables an authenticated local user to manipulate the driver and trigger code execution in kernel mode, leading to full system compromise.

    The National Vulnerability Database rates it with a CVSS 4.0 score of 7.3, citing high impacts on confidentiality, integrity, and availability, though it requires local access and high attack complexity.

    Affected systems include those with LnvMSRIO.sys driver up to version 3.1.0.36, commonly found in Lenovo laptops preloaded with Windows 10 or older Windows 11 builds without default mitigations.

    Newer Lenovo Dispatcher 3.2 and above are unaffected, as Lenovo patched the flaw in version 3.1.0.41 released in September 2025.

    Importantly, enabling Windows Core Isolation Memory Integrity blocks exploitation, a feature active by default on Windows 11 Lenovo systems, reducing real-world risk for updated users.

    AspectDetails
    Affected ProductsLenovo Dispatcher Driver 3.0, 3.1 (LnvMSRIO.sys up to 3.1.0.36) on consumer notebooks
    Impact AssessmentLocal privilege escalation to kernel mode, potential full system control
    Exploit PrerequisitesAuthenticated local user access; Core Isolation disabled; specific Windows build (e.g., 24H2 without HVCI)
    CVSS 3.1 ScoreN/A (CVSS 4.0: 7.3 – High)​

    Exploitation In Action

    Security researcher Luis Casvella from Quarkslab detailed the exploit in a September 2025 blog post, highlighting how attackers can leverage the driver’s MSR read primitive to leak kernel addresses like KiSystemCall64 via the LSTAR register (MSR 0xC0000082).

    This information enables bypassing ASLR and SMEP protections, with the PoC demonstrating shellcode for token stealing to impersonate the SYSTEM process.

    A follow-up GitHub repository by symeonp provides a working PoC that spawns a SYSTEM shell on Windows 11 24H2, hardcoded for build 26100.1, requiring adjustments for offsets like KiSystemCall64 at 0x6b2b40 and CR4 manipulation to disable SMEP (bit 20).

    The technique involves reading MSRs to locate syscalls, injecting shellcode that navigates kernel structures such as _KPCR and _EPROCESS for token manipulation, and restoring registers like CR4 and LSTAR to avoid crashes.

    Casvella’s analysis notes four related bugs in the driver, emphasizing BYOVD tactics where signed drivers evade DSE for post-exploitation.

    While no wild exploits are reported, the public PoC underscores the ease of adaptation for red teamers or malware authors targeting unpatched Lenovo devices.

    Lenovo urges immediate updates to Dispatcher Driver 3.1.0.41 or later via Windows Update or their support site to close the gap.

    For added protection, users should verify Core Isolation in Windows Security under Device Security, toggling Memory Integrity on if it is disabled, which blocks kernel exploits without performance hits on modern hardware.

    Organizations should scan for vulnerable drivers using tools like those from AhnLab or monitor for IOCTL anomalies on endpoints.

    The disclosure timeline reveals Quarkslab’s coordinated efforts with Lenovo since June 2025, culminating in patches despite delays.

    As BYOVD remains a staple in advanced threats, this incident highlights the need for vigilant driver management in enterprise environments. With the PoC now public, prompt action is essential to safeguard against privilege escalation chains in real attacks.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post PoC Exploit Unveiled for Lenovo Code Execution Vulnerability Enabling Privilege Escalation appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶