Lenovo laptop has a vulnerability that helps to gain admin rights

Lenovo laptops, including ThinkPad and Yoga models, have vulnerabilities that lead to a privilege escalation attack in the ImControllerServices service. Exploiting these vulnerabilities, hackers can execute code remotely with admin rights.

This vulnerability is tracked under code CVE-2021-3922 and CVE-2021-3969 and affects the ImControllerService component of all versions of Lenovo System Interface Foundation lower than When viewed in the Windows service screen, the service will show up as “System Interface Foundation Service”.

ImControllerService helps Lenovo devices communicate with universal applications such as Lenovo Companion, Lenovo Settings, and Lenovo ID. The service comes pre-installed on many Lenovo devices including the Yoga and ThinkPads.

The above vulnerabilities were discovered by NCC Group researchers and they reported to Lenovo on October 29, 2021. Lenovo released the security update on November 17, 2021 while the related security advisory was released on December 14, 2021.

A vulnerable system component

Since ImControllerService needs to fetch and install files from the Lenovo server, execute subprocesses, and perform system maintenance and configuration tasks, it runs with the highest privilege of SYSTEM.

The SYSTEM privilege is the highest user privilege available to Windows, allowing someone to execute almost any command on the operating system. Basically, if one has SYSTEM rights, one can take full control of the system to install malware, viruses, add users or change almost any system settings.

This Windows service will create other subprocesses, opening named pipe servers that the ImController services used to communicate with the subprocess. When ImController needs one of these services to execute a command, it connects to the named pipe and issues the serialized XML commands that need to be executed.

Unfortunately, communications between privileged subroutines are not handled securely by this service and fail to authenticate the source of the serialized XML commands. This means that any other process, even a malicious one, can connect to the subprocess to issue their own commands.

Thus, an attacker could take advantage of this vulnerability to send instructions to download the plugin from an arbitrary location on the file system.

Lenovo laptop has a vulnerability that helps to gain admin rights

The second vulnerability is a time-of-use (TOCTOU) system vulnerability that allows hackers to stop the loading of the authenticated ImControllerService plugin and replace it with a DLL of their choice.

When the lock is unlocked and the process resumes loading, the DLL will be executed leading to a privilege escalation attack.

Update is the only fix

All Lenovo laptop and computer users running ImController version or later need to upgrade to the current latest version (

To determine the version of ImController running on your computer, perform the following steps:

  • Open File Explorer then find C:WindowsLenovoImControllerPluginHost.
  • Right click on Lenovo.Modern.ImController.PluginHost.exe then choose Properties.
  • Choose card Details.
  • Read the version of File.

Removing the ImController or Lenovo System Interface Foundation component is not recommended as it may affect some functions on your computer. However, if safety comes first for you, this is also a solution that you should consider.


Related Posts

Leave a Reply

Your email address will not be published.