############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Lenovo Vantage # Vendor: Lenovo # CSNC ID: CSNC-2026-001 # CVE ID: CVE‑2025‑13154 # Subject: Lenovo Vantage - Local Privilege Escalation # Risk: High # Effect: Local Privilege Escalation # Researcher: Manuel Kiesel (cyllective AG) # Researcher: John Ostrowski (Compass Security) # Date: 10.02.2026 # ############################################################# Introduction ------------ Lenovo Vantage is an application provided by Lenovo that helps to manage computer hardware, including system updates and drivers. It was affected by an vulnerability that allowed a local low privileged user to gain administrative privileges. Affected -------- Vulnerable: * Lenovo Vantage SmartPerformanceAddin up to version 1.1.0.1111. Not vulnerable: * Lenovo Vantage SmartPerformanceAddin 1.1.0.1111 or later. Technical Description --------------------- Lenovo Vantage runs with SYSTEM privileges and contains a file cleanup routine that deletes the user-writable `C:\Users\\AppData\Local\Temp` directory without proper safeguards, allowing a low-privileged user to influence files handled by an elevated process. This can be abused by the known privilege escalation primitive of the MSI installer rollback mechanism that converts an arbitrary folder deletion performed by a privileged process into a local privilege escalation. Workaround / Fix ---------------- Update Vantage SmartPerformanceAddin to version 1.1.0.1111 or later. Timeline -------- 2025-11.23: First contact to Lenovo via psirt@lenovo.com 2025-11-24: Got a response on how to send the report 2025-11-25: Sent report 2025-11-25: Lenovo confirmed they received the report 2025-12-04: Lenovo acknowledges the vulnerability and reserves CVE-2025-13154 2026-01-13: The patch is released References ---------- [1] https://support.lenovo.com/us/en/product_security/LEN-208293 [2] https://cyllective.com/blog/posts/lenovo-vantage [2] https://blog.compass-security.com/2026/02/from-folder-deletion-to-admin-lenovo-vantage-cve-2025-13154/