CVE-2025-13154

Name of the Vulnerable Software and Affected Versions Lenovo Vantage SmartPerformanceAddin versions prior to 1.1.0.1111

Description An improper link following issue exists in the SmartPerformanceAddin for Lenovo Vantage. This allows an authenticated local user to perform arbitrary file deletion with elevated privileges, potentially leading to full system control. The issue involves a function that clears the system with SYSTEM privileges, deleting the contents of the C:WindowsTemp directory without sufficient validation. An attacker can place a symbolic link or junction point in this directory, causing the deletion process to affect arbitrary files and folders outside of Temp when executed with SYSTEM privileges. The vulnerability allows for privilege escalation to SYSTEM level without requiring complex techniques. The vulnerability was discovered through collaboration between John Ostrowski (Compass Security) and Manuel Kiesel (Cyllective AG).

Recommendations Update SmartPerformanceAddin to version 1.1.0.1111 or later.