CVE-2025-8061

HIGH

Lenovo Dispatcher <3.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-8061. PoCs published by symeonp, spawn451, segura2010.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-8061, targeting the Lenovo LnvMSRIO.sys driver (version 3.1.0.36) to achieve local privilege escalation (LPE) by leveraging arbitrary read/write primitives to bypass SMEP and execute token-stealing shellcode. The exploit includes detailed technical notes on offset adjustments, ASLR bypass techniques, and shellcode modifications for different Windows versions.

Description

A potential insufficient access control vulnerability was reported in the Lenovo Dispatcher 3.0 and Dispatcher 3.1 drivers used by some Lenovo consumer notebooks that could allow an authenticated local user to execute code with elevated privileges. The Lenovo Dispatcher 3.2 driver is not affected. This vulnerability does not affect systems when the Windows feature Core Isolation Memory Integrity is enabled. Lenovo systems preloaded with Windows 11 have this feature enabled by default.

Exploits (5)

github WORKING POC 118 stars

by symeonp · c++poc

https://github.com/symeonp/Lenovo-CVE-2025-8061

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-8061, targeting the Lenovo LnvMSRIO.sys driver (version 3.1.0.36) to achieve local privilege escalation (LPE) by leveraging arbitrary read/write primitives to bypass SMEP and execute token-stealing shellcode. The exploit includes detailed technical notes on offset adjustments, ASLR bypass techniques, and shellcode modifications for different Windows versions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Lenovo LnvMSRIO.sys driver (version 3.1.0.36)

No auth needed

Prerequisites: Windows 11 Version 24H2 with KVAShadowing and Core Isolation disabled · Specific kernel offsets for the target system · Administrative or local access to execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WRITEUP 7 stars

by spawn451 · poc

https://github.com/spawn451/CVE-2025-8061-Exploit

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-8061, a vulnerability in the Lenovo MSR I/O Driver (LnvMSRIO.sys) that allows arbitrary physical memory read/write operations. It includes IOCTL details, input structures, and exploitation techniques using Superfetch for VA-to-PA translation.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo MSR I/O Driver (LnvMSRIO.sys)

Auth required

Prerequisites: Administrator privileges · 64-bit Windows · Driver file (LnvMSRIO.sys)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 3 stars

by segura2010 · poc

https://github.com/segura2010/lenovo-dispatcher-poc

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-8061, targeting the Lenovo Dispatcher driver (LnvMSRIO.sys). The exploit leverages read/write primitives to steal the system token from ntoskrnl.exe by translating virtual to physical addresses using Superfetch/PFN and overwriting the NtAddAtom function with shellcode.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Lenovo Dispatcher driver (LnvMSRIO.sys) on Windows 10 (22h2) and Windows 11 (25h2)

Auth required

Prerequisites: Administrative privileges · Lenovo Dispatcher driver installed · Windows 10 (22h2) or Windows 11 (25h2)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-8061

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by vxqs · c++poc

https://github.com/vxqs/Lenovo-CVE-2025-8061

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2025-8061, demonstrating privilege escalation via Lenovo's LnvMSRIO.sys driver by reading/writing MSRs and physical memory. The code includes driver interaction, process enumeration, and PEB address retrieval, confirming exploitability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo LnvMSRIO.sys driver

No auth needed

Prerequisites: Lenovo system with vulnerable LnvMSRIO.sys driver · notepad.exe running for PID demonstration

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 26, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://support.lenovo.com/us/en/product_security/LEN-200860

Scores

CVSS v3 7.0

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-782

Status published

Products (2)

Lenovo/Dispatcher 3.0 Driver < 3.1.0.41

Lenovo/Dispatcher 3.1 Driver < 3.1.0.41

Published Sep 11, 2025

Tracked Since Feb 18, 2026