Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-5474

Summary
Assigner-lenovo
Assigner Org ID-da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At-11 Oct, 2024 | 15:15
Updated At-11 Oct, 2024 | 19:07
Rejected At-
Credits

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:lenovo
Assigner Org ID:da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At:11 Oct, 2024 | 15:15
Updated At:11 Oct, 2024 | 19:07
Rejected At:
▼CVE Numbering Authority (CNA)

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

Affected Products
Vendor
Lenovo Group LimitedLenovo
Product
Dolby Vision Provisioning software
Default Status
unaffected
Versions
Affected
  • From 0 before 2.0.0.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-276CWE-276 Incorrect Default Permissions
Type: CWE
CWE ID: CWE-276
Description: CWE-276 Incorrect Default Permissions
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Dolby Vision Provisioning package to version 2.0.0.2 or later. https://support.lenovo.com/us/en/downloads/ds543424-dolby-vision-provisioning-driver-for-windows-10-64-bit-version-1709-or-later-thinkpad-ideapad-ideacentre

Configurations
Workarounds
Exploits
Credits
finder
Lenovo thanks Alaa Kachouh for reporting this issue.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.lenovo.com/us/en/product_security/LEN-158394
N/A
Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-158394
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Lenovo Group Limitedlenovo
Product
dolby_vision_provisioning_software
CPEs
  • cpe:2.3:a:lenovo:dolby_vision_provisioning_software:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2.0.0.2 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@lenovo.com
Published At:11 Oct, 2024 | 16:15
Updated At:15 Nov, 2024 | 17:00

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Lenovo Group Limited
lenovo
>>dolby_vision_provisioning>>Versions before 2.0.0.2(exclusive)
cpe:2.3:a:lenovo:dolby_vision_provisioning:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-276Primarynvd@nist.gov
CWE-276Secondarypsirt@lenovo.com
CWE ID: CWE-276
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-276
Type: Secondary
Source: psirt@lenovo.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.lenovo.com/us/en/product_security/LEN-158394psirt@lenovo.com
Vendor Advisory
Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-158394
Source: psirt@lenovo.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

114Records found
CVE-2021-3720
Matching Score-10
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-10
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 13.55%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 22:05
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.

Action-Not Available
Vendor-Lenovo Group Limited
Product-legion_phone2_pro_\(l70081\)legion_phone_pro_\(l79031\)firmwarelegion_phone_pro_\(l79031\)legion_phone2_pro_\(l70081\)_firmwareLegion Phone Pro (L79031)Legion Phone2 Pro (L70081)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-11193
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 2.61%
||
7 Day CHG~0.00%
Published-03 Nov, 2025 | 21:40
Updated-04 Nov, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Tab M11 TB330FU TB330XUTab M9 TB310FU TB310XUTab K9 TB305FUTab M10 5G TB360ZUTab P11 2nd Gen TB350XU TB350FUTab M8 4th Gen 2024 TB301FU TB301XUTab Plus TB520FUTab One TB305FUXUTab K9 TB305XUTab P12 TB370FU TB372FUTab Extreme TB570ZU TB570FUYoga Tab Plus TB520FUIdea Tab Pro TB373FUTab K11 TB330FU TB330FUP TB330XU TB330XUPTab WiFi 5GTab K11 Plus LTE TB352FU TB352XUTab WIFITab M8 4th Gen TB300FU TB300XUTab K11 Plus WIFI TB352FU
CWE ID-CWE-256
Plaintext Storage of a Password
CVE-2021-3786
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-4.4||MEDIUM
EPSS-0.04% / 13.46%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 22:05
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_t14sthinkpad_x13_yoga_gen_1thinkpad_l460_firmwarethinkpad_p17_gen_1thinkpad_11e_4th_gen_firmwarethinkpad_e490thinkpad_x1_fold_gen_1thinkpad_p51sthinkpad_p53thinkpad_x1_carbon_3rd_genthinkpad_p72_firmwarethinkpad_x12_detachable_gen_1_firmwarethinkpad_l590thinkpad_l460thinkpad_p52thinkpad_l13_yoga_gen_2_firmwarethinkpad_p70thinkpad_13_gen_2thinkpad_e470_firmwarethinkpad_x1_carbon_gen_8thinkpad_t460pthinkpad_p1thinkpad_e15_firmwarethinkpad_x1_tablet_firmwarethinkpad_t14s_firmwarethinkpad_l380_yoga_firmwarethinkpad_x280thinkpad_x390thinkpad_s540thinkpad_t15g_gen_1thinkpad_l470_firmwareideapad_yoga_s940-14iwlthinkpad_x1_carbon_3rd_gen_firmwarethinkpad_t490_firmwarethinkpad_l380_firmwarethinkpad_t15_firmwarethinkpad_t560_firmwarethinkpad_t580thinkpad_l390_yogathinkpad_t15p_gen_1_firmwarethinkpad_s5_2nd_gen_firmwarethinkpad_x1_carbon_gen_6_firmwarethinkpad_t570_firmwarethinkpad_yoga_11e_5th_genthinkpad_x1_carbon_5th_gen_kabylakethinkpad_t15p_gen_1thinkpad_x1_extreme_gen_3thinkpad_l570_firmwarethinkpad_x380_yoga_firmwarev330-15iskthinkpad_l13_yogathinkpad_11e_yoga_gen_6_firmwarethinkpad_s540_firmwarethinkpad_x1_yoga_4th_genthinkpad_t15g_gen_1_firmwarethinkpad_p52_firmwarethinkpad_x1_carbon_gen_6thinkpad_t580_firmwarethinkpad_e15v130-15igm_firmwarethinkpad_e15_gen_3_firmwarethinkpad_e14_gen_3_firmwarethinkpad_t460sthinkpad_11e_3rd_genthinkpad_x390_yogathinkpad_e570thinkpad_x1_carbon_gen_8_firmwarethinkpad_s5_2nd_genthinkpad_p14s_gen_1thinkpad_x1_yoga_3rd_gen_firmwarethinkpad_x1_extreme_firmwarethinkpad_11e_4th_genthinkpad_x13_gen_1_firmwarethinkpad_25_firmwarethinkpad_yoga_11e_5th_gen_firmwarethinkpad_e580thinkpad_p1_gen_3thinkpad_l13_gen_2thinkpad_x1_tablet_gen_3_firmwarethinkpad_p71thinkpad_x1_titanium_firmwarethinkpad_10_firmwarethinkpad_t14s_gen_2_firmwarethinkpad_e480_firmwarethinkpad_p51s_firmwarethinkpad_x250thinkpad_x1_carbon_gen_7ideapad_s940-14iwlthinkpad_t460_firmwarethinkpad_t460s_firmwarethinkpad_p15s_gen_2_firmwarethinkpad_x270_firmwarethinkpad_x1_carbon_5th_gen_skylake_firmwarethinkpad_s2_yoga_gen_6_firmwarethinkpad_x12_detachable_gen_1thinkpad_p1_gen_3_firmwarethinkpad_helix_firmwarethinkpad_l490thinkpad_t480s_firmwarethinkpad_p71_firmwarethinkpad_x1_carbon_5th_gen_skylakethinkpad_x1_tablet_gen_3thinkpad_l590_firmwarethinkpad_e15_gen_2_firmwarethinkpad_e15_gen_2thinkpad_l15thinkpad_t15_gen_2thinkpad_x1_titaniumthinkpad_l560_firmwarethinkpad_x260thinkpad_x1_nano_gen_1_firmwarethinkpad_11e_3rd_gen_firmwarethinkpad_p14s_gen_2thinkpad_e15_gen_3thinkpad_x250_firmwarethinkpad_p15v_gen_1_firmwarethinkpad_p53s_firmwarethinkpad_p15_gen_1v130-15igmthinkpad_x1_extreme_2ndthinkpad_t470_firmwarethinkpad_p52sthinkpad_13_gen_2_firmwarethinkpad_l13_yoga_firmwarethinkpad_t480_firmwarethinkpad_p50_firmwarethinkpad_25thinkpad_e580_firmwarethinkpad_x260_firmwarethinkpad_e590_firmwarethinkpad_t570thinkpad_l560thinkpad_t490thinkpad_x280_firmwarethinkpad_x1_yoga_1st_gen_firmwarethinkpad_t590thinkpad_t550thinkpad_p73_firmwarethinkpad_x1_tabletthinkpad_x1_carbon_5th_gen_kabylake_firmwarethinkpad_w550sthinkpad_l480thinkpad_x1_carbon_gen_7_firmwarethinkpad_t460thinkpad_x390_firmwarethinkpad_l390_yoga_firmwarethinkpad_s2_yoga_gen_6thinkpad_x270thinkpad_x1_yoga_gen_5_firmwarethinkpad_l580_firmwarethinkpad_t14_gen_2_firmwarethinkpad_e14_gen_2thinkpad_10ideapad_s940-14iwl_firmwarethinkpad_p50s_firmwarethinkpad_yoga_370thinkpad_p15s_gen_1_firmwarethinkpad_x13_yoga_gen_1_firmwarethinkpad_t440p_firmwarethinkpad_l470thinkpad_e570_firmwarethinkpad_t440pthinkpad_yoga_15thinkpad_l15_gen_2thinkpad_x390_yoga_firmwarethinkpad_p15v_gen_1thinkpad_l380thinkpad_t590_firmwarethinkpad_yoga_11e_4th_gen_firmwarethinkpad_x1_extremethinkpad_l490_firmwarethinkpad_yoga_11e_3rd_gen_firmwarethinkpad_x1_tablet_gen_2_firmwarethinkpad_p1_gen_2_firmwarethinkpad_t460p_firmwarethinkpad_l13_firmwarethinkpad_p52s_firmwarethinkpad_x13_gen_2thinkpad_l15_gen_2_firmwarethinkpad_x1_carbon_4th_gen_firmwarethinkpad_t550_firmwarethinkpad_l13_gen_2_firmwarethinkpad_e590thinkpad_x1_yoga_3rd_genthinkpad_e14_gen_3thinkpad_x13_gen_1thinkpad_s2_gen_6thinkpad_x1_nano_gen_1thinkpad_p1_firmwarethinkpad_t15thinkpad_p15_gen_1_firmwarethinkpad_p14s_gen_2_firmwarethinkpad_p15s_gen_1v330-15ikb_firmwarethinkpad_t14s_gen_2thinkpad_x1_yoga_gen_5thinkpad_x380_yogathinkpad_l480_firmwarethinkpad_p53sthinkpad_t480sthinkpad_x13_yoga_gen_2thinkpad_x1_extreme_2nd_firmwarethinkpad_p51_firmwarethinkpad_e14ideapad_yoga_s940-14iwl_firmwarethinkpad_l13_yoga_gen_2thinkpad_l570thinkpad_x1_yoga_4th_gen_firmwarethinkpad_p43sthinkpad_l390_firmwarethinkpad_t490s_firmwarethinkpad_l14_firmwarethinkpad_t14_gen_2thinkpad_x1_extreme_gen_3_firmwarethinkpad_t470s_firmwarethinkpad_p14s_gen_1_firmwarethinkpad_l580thinkpad_p50thinkpad_x1_tablet_gen_2v330-15ikbthinkpad_s2_gen_6_firmwarethinkpad_x13_yoga_gen_2_firmwarethinkpad_p1_gen_2thinkpad_t470p_firmwarethinkpad_11e_yoga_gen_6thinkpad_x13_gen_2_firmwarethinkpad_e490_firmwarethinkpad_p70_firmwarethinkpad_t560thinkpad_e14_gen_2_firmwarethinkpad_t470thinkpad_x1_carbon_4th_genthinkpad_p17_gen_1_firmwarethinkpad_yoga_11e_3rd_genthinkpad_l390thinkpad_t15_gen_2_firmwarethinkpad_p53_firmwarethinkpad_p50sthinkpad_x1_yoga_1st_genv330-15isk_firmwarethinkpad_l15_firmwarethinkpad_e480thinkpad_yoga_260thinkpad_p51thinkpad_l380_yogathinkpad_x1_fold_gen_1_firmwarethinkpad_l14thinkpad_l13thinkpad_t490sthinkpad_p73thinkpad_e470thinkpad_yoga_11e_4th_genthinkpad_yoga_15_firmwarethinkpad_t470sthinkpad_p72thinkpad_t14_gen_1thinkpad_yoga_260_firmwarethinkpad_t470pthinkpad_helixthinkpad_t14_gen_1_firmwarethinkpad_w550s_firmwarethinkpad_e14_firmwarethinkpad_yoga_370_firmwarethinkpad_p15s_gen_2thinkpad_t480thinkpad_p43s_firmwareNotebook and ThinkPad BIOS
CWE ID-CWE-20
Improper Input Validation
CVE-2025-13454
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.26%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 22:18
Updated-25 Feb, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkplus_tu800_firmwarethinkplus_fu200_firmwarethinkplus_fu100_firmwarethinkplus_tsd303thinkplus_fu200thinkplus_tsd303_firmwarethinkplus_fu100thinkplus_tu800ThinkPlus FU100ThinkPlus FU200ThinkPlus TU800ThinkPlus TSD303
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2022-1109
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 28.60%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 19:23
Updated-02 Apr, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service.

Action-Not Available
Vendor-Lenovo Group Limited
Product-leyunLeyun
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-3112
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.06% / 18.52%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 20:31
Updated-12 Sep, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges.

Action-Not Available
Vendor-ellipticlabsLenovo Group Limited
Product-virtual_lock_sensorai_virtual_presence_sensorthinkpad_t14_gen_3AI Virtual Presence SensorElliptic Labs Virtual Lock Sensorthinkpad_t14_gen_3
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29058
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 29.22%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 20:47
Updated-30 Jan, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinksystem_sn550thinksystem_sr530_firmwarethinkagile_hx3375_firmwarethinksystem_sr570_firmwarethinkagile_hx5530thinksystem_sr158thinkagile_hx3721thinksystem_sd630_v2_firmwarethinksystem_sr665_firmwarethinksystem_sd650thinkagile_hx3520-g_firmwarethinkagile_hx3521-g_firmwarethinkagile_mx3531_h_firmwarethinksystem_st250thinkagile_vx1320_firmwarethinksystem_sr850thinksystem_sr158_firmwarethinkagile_vx3320_firmwarethinkagile_hx7530_firmwarethinkagile_hx2330thinkagile_vx7820thinksystem_sn850thinkagile_hx5520thinkagile_vx7530_firmwarethinkedge_se450_thinkagile_vx3320thinkagile_vx5520_firmwarethinksystem_st550_firmwarethinksystem_sr630thinkagile_mx1021_on_se350_firmwarethinksystem_sr950thinkagile_vx7320_nthinksystem_st658_v2thinkagile_hx1521-r_firmwarethinkagile_hx7820thinkagile_vx2320thinkagile_vx7520_nthinkagile_hx7520_firmwarethinkagile_vx_2u4nthinksystem_sr860_firmwarethinksystem_sr650_v2_firmwarethinkagile_hx5520-cthinksystem_sr630_v2thinkagile_hx_enclosure_firmwarethinkagile_hx7820_firmwarethinkagile_hx3720thinksystem_sd530thinksystem_sr860_v2thinksystem_sn850_firmwarethinkagile_mx1021_on_se350thinkagile_vx_4u_firmwarethinksystem_st650_v2thinksystem_sr258_v2thinkagile_hx7521_firmwarethinkagile_hx1021thinkagile_hx3375thinkagile_vx2320_firmwarethinksystem_sr250_v2_firmwarethinkagile_vx3330thinkagile_mx3330-h_firmwarethinkagile_hx2720-e_firmwarethinkagile_hx3331_firmwarethinksystem_st250_firmwarethinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_sr570thinksystem_sd650-n_v2thinkagile_vx7520thinkagile_hx3321_firmwarethinksystem_sr670_v2_firmwarethinksystem_sr670_v2thinkagile_vx_4uthinkagile_mx3331-f_firmwarethinkagile_hx2320-e_firmwarethinkagile_hx1331thinkagile_hx3331thinkagile_hx7521thinkagile_vx5520thinksystem_sr550thinkagile_mx3330-hthinkagile_vx7530thinkagile_vx3520-g_firmwarethinksystem_se350_firmwarethinkagile_mx3530-hthinksystem_sd650_firmwarethinksystem_st250_v2thinkagile_hx2321_firmwarethinkagile_hx2321thinkagile_hx3721_firmwarethinkagile_mx3330-f_firmwarethinksystem_sr860_v2_firmwarethinksystem_sr850p_firmwarethinksystem_st258thinkagile_hx1320thinkagile_hx1321_firmwarethinksystem_sr850pthinkagile_hx1320_firmwarethinksystem_sn550_v2thinkstation_p920_firmwarethinksystem_sr258_v2_firmwarethinkagile_hx3320_firmwarethinkagile_hx3521-gthinkagile_hx2331_firmwarethinkagile_mx3530_f_firmwarethinksystem_st650_v2_firmwarethinkagile_mx3330-fthinksystem_st258_v2_firmwarethinksystem_st258_firmwarethinkagile_hx3376_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_vx7531_firmwarethinkagile_hx7821_firmwarethinksystem_sr850_firmwarethinkagile_vx3330_firmwarethinksystem_st550thinkagile_hx7531thinkagile_vx3520-gthinksystem_st658_v2_firmwarethinkagile_vx7531thinkagile_vx_2u4n_firmwarethinksystem_sr670_firmwarethinksystem_sr150thinkagile_vx3720thinksystem_sr850_v2_firmwarethinksystem_sr250_v2thinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3530-h_firmwarethinkagile_hx_enclosurethinkagile_hx1321thinksystem_st250_v2_firmwarethinkagile_hx7520thinkagile_hx3330thinkagile_mx3331-h_firmwarethinkedge_se450__firmwarethinksystem_sr645_v3_firmwarethinkagile_hx2720-ethinkagile_hx1331_firmwarethinksystem_sr650_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinkagile_hx3321thinkagile_hx7530thinksystem_sr250thinksystem_sr530thinkagile_hx5520_firmwarethinksystem_sr850_v2thinksystem_se350thinkagile_mx1020_firmwarethinkagile_mx1020thinksystem_sr665thinksystem_sr150_firmwarethinkagile_hx3520-gthinkagile_vx7320_n_firmwarethinksystem_sr860thinkagile_hx7821thinkagile_hx3720_firmwarethinkagile_hx5521_firmwarethinksystem_sr645_firmwarethinkagile_hx1021_firmwarethinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinkagile_vx7820_firmwarethinkagile_hx5520-c_firmwarethinksystem_sd530_firmwarethinkagile_vx_1sethinkagile_mx3331-hthinkagile_hx5521-c_firmwarethinksystem_sd650_v2thinkstation_p920thinksystem_sr650_v2thinkagile_vx7330thinksystem_sn550_firmwarethinkagile_hx5521-cthinksystem_sr250_firmwarethinksystem_sr258_firmwarethinksystem_sr590_firmwarethinkagile_mx3530_fthinkagile_hx1520-rthinksystem_sd630_v2thinkagile_hx1521-rthinkagile_hx1520-r_firmwarethinkagile_hx3320thinkagile_vx3720_firmwarethinkagile_hx5531thinkagile_vx_1se_firmwarethinksystem_sr630_firmwarethinkagile_vx7520_n_firmwarethinksystem_sr550_firmwarethinkagile_hx2331thinkagile_hx2320-ethinkagile_vx5530thinkagile_mx3331-fthinkagile_hx7531_firmwarethinkagile_vx1320thinksystem_sr645thinksystem_sr670thinksystem_sr590thinkagile_vx3331_firmwarethinkagile_vx7520_firmwarethinksystem_sr950_firmwarethinkagile_vx2330_firmwarethinkagile_vx3530-g_firmwarethinksystem_sr630_v2_firmwarethinksystem_sr665_v3thinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_mx3531_hthinkagile_vx3530-gthinkagile_vx5530_firmwarethinksystem_sr650thinksystem_sr258thinkagile_hx5521thinkagile_mx3531-fthinkagile_mx3531-f_firmwareXClarity Controller
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-8098
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-8.5||HIGH
EPSS-0.02% / 6.31%
||
7 Day CHG~0.00%
Published-18 Aug, 2025 | 20:05
Updated-26 Feb, 2026 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPC Manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-8421
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.2||MEDIUM
EPSS-0.01% / 1.50%
||
7 Day CHG~0.00%
Published-12 Nov, 2025 | 19:17
Updated-14 Nov, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Dock Manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-8485
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7||HIGH
EPSS-0.01% / 1.17%
||
7 Day CHG~0.00%
Published-12 Nov, 2025 | 19:18
Updated-02 Feb, 2026 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application.

Action-Not Available
Vendor-Lenovo Group Limited
Product-app_storeApp Store
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29057
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.3||HIGH
EPSS-0.27% / 50.51%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 20:53
Updated-30 Jan, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinksystem_sn550thinksystem_sr530_firmwarethinkagile_hx3375_firmwarethinksystem_sr570_firmwarethinkagile_hx5530thinksystem_sr158thinkagile_hx3721thinksystem_sd630_v2_firmwarethinksystem_sr665_firmwarethinksystem_sd650thinkagile_hx3520-g_firmwarethinkagile_hx3521-g_firmwarethinkagile_mx3531_h_firmwarethinksystem_st250thinkagile_vx1320_firmwarethinksystem_sr850thinksystem_sr158_firmwarethinkagile_vx3320_firmwarethinkagile_hx7530_firmwarethinkagile_hx2330thinkagile_vx7820thinksystem_sn850thinkagile_hx5520thinkagile_vx7530_firmwarethinkedge_se450_thinkagile_vx3320thinkagile_vx5520_firmwarethinksystem_st550_firmwarethinksystem_sr630thinkagile_mx1021_on_se350_firmwarethinksystem_sr950thinkagile_vx7320_nthinksystem_st658_v2thinkagile_hx1521-r_firmwarethinkagile_hx7820thinkagile_vx2320thinkagile_vx7520_nthinkagile_hx7520_firmwarethinkagile_vx_2u4nthinksystem_sr860_firmwarethinksystem_sr650_v2_firmwarethinkagile_hx5520-cthinksystem_sr630_v2thinkagile_hx_enclosure_firmwarethinkagile_hx7820_firmwarethinkagile_hx3720thinksystem_sd530thinksystem_sr860_v2thinksystem_sn850_firmwarethinkagile_mx1021_on_se350thinkagile_vx_4u_firmwarethinksystem_st650_v2thinksystem_sr258_v2thinkagile_hx7521_firmwarethinkagile_hx1021thinkagile_hx3375thinkagile_vx2320_firmwarethinksystem_sr250_v2_firmwarethinkagile_vx3330thinkagile_mx3330-h_firmwarethinkagile_hx2720-e_firmwarethinkagile_hx3331_firmwarethinksystem_st250_firmwarethinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_sr570thinksystem_sd650-n_v2thinkagile_vx7520thinkagile_hx3321_firmwarethinksystem_sr670_v2_firmwarethinksystem_sr670_v2thinkagile_vx_4uthinkagile_mx3331-f_firmwarethinkagile_hx2320-e_firmwarethinkagile_hx1331thinkagile_hx3331thinkagile_hx7521thinkagile_vx5520thinksystem_sr550thinkagile_mx3330-hthinkagile_vx7530thinkagile_vx3520-g_firmwarethinksystem_se350_firmwarethinkagile_mx3530-hthinksystem_sd650_firmwarethinksystem_st250_v2thinkagile_hx2321_firmwarethinkagile_hx2321thinkagile_hx3721_firmwarethinkagile_mx3330-f_firmwarethinksystem_sr860_v2_firmwarethinksystem_sr850p_firmwarethinksystem_st258thinkagile_hx1320thinkagile_hx1321_firmwarethinksystem_sr850pthinkagile_hx1320_firmwarethinksystem_sn550_v2thinkstation_p920_firmwarethinksystem_sr258_v2_firmwarethinkagile_hx3320_firmwarethinkagile_hx3521-gthinkagile_hx2331_firmwarethinkagile_mx3530_f_firmwarethinksystem_st650_v2_firmwarethinkagile_mx3330-fthinksystem_st258_v2_firmwarethinksystem_st258_firmwarethinkagile_hx3376_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_vx7531_firmwarethinkagile_hx7821_firmwarethinksystem_sr850_firmwarethinkagile_vx3330_firmwarethinksystem_st550thinkagile_hx7531thinkagile_vx3520-gthinksystem_st658_v2_firmwarethinkagile_vx7531thinkagile_vx_2u4n_firmwarethinksystem_sr670_firmwarethinksystem_sr150thinkagile_vx3720thinksystem_sr850_v2_firmwarethinksystem_sr250_v2thinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3530-h_firmwarethinkagile_hx_enclosurethinkagile_hx1321thinksystem_st250_v2_firmwarethinkagile_hx7520thinkagile_hx3330thinkagile_mx3331-h_firmwarethinkedge_se450__firmwarethinksystem_sr645_v3_firmwarethinkagile_hx2720-ethinkagile_hx1331_firmwarethinksystem_sr650_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinkagile_hx3321thinkagile_hx7530thinksystem_sr250thinksystem_sr530thinkagile_hx5520_firmwarethinksystem_sr850_v2thinksystem_se350thinkagile_mx1020_firmwarethinkagile_mx1020thinksystem_sr665thinksystem_sr150_firmwarethinkagile_hx3520-gthinkagile_vx7320_n_firmwarethinksystem_sr860thinkagile_hx7821thinkagile_hx3720_firmwarethinkagile_hx5521_firmwarethinksystem_sr645_firmwarethinkagile_hx1021_firmwarethinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinkagile_vx7820_firmwarethinkagile_hx5520-c_firmwarethinksystem_sd530_firmwarethinkagile_vx_1sethinkagile_mx3331-hthinkagile_hx5521-c_firmwarethinksystem_sd650_v2thinkstation_p920thinksystem_sr650_v2thinkagile_vx7330thinksystem_sn550_firmwarethinkagile_hx5521-cthinksystem_sr250_firmwarethinksystem_sr258_firmwarethinksystem_sr590_firmwarethinkagile_mx3530_fthinkagile_hx1520-rthinksystem_sd630_v2thinkagile_hx1521-rthinkagile_hx1520-r_firmwarethinkagile_hx3320thinkagile_vx3720_firmwarethinkagile_hx5531thinkagile_vx_1se_firmwarethinksystem_sr630_firmwarethinkagile_vx7520_n_firmwarethinksystem_sr550_firmwarethinkagile_hx2331thinkagile_hx2320-ethinkagile_vx5530thinkagile_mx3331-fthinkagile_hx7531_firmwarethinkagile_vx1320thinksystem_sr645thinksystem_sr670thinksystem_sr590thinkagile_vx3331_firmwarethinkagile_vx7520_firmwarethinksystem_sr950_firmwarethinkagile_vx2330_firmwarethinkagile_vx3530-g_firmwarethinksystem_sr630_v2_firmwarethinksystem_sr665_v3thinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_mx3531_hthinkagile_vx3530-gthinkagile_vx5530_firmwarethinksystem_sr650thinksystem_sr258thinkagile_hx5521thinkagile_mx3531-fthinkagile_mx3531-f_firmwareXClarity Controller
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3722
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5||MEDIUM
EPSS-0.03% / 10.22%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 20:30
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3451
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 13.32%
||
7 Day CHG~0.00%
Published-27 Apr, 2021 | 15:27
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-9085
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-4.9||MEDIUM
EPSS-0.14% / 33.24%
||
7 Day CHG~0.00%
Published-16 Nov, 2018 | 14:00
Updated-05 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing System x Flash Memory Write Protection Lock Bit

A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.

Action-Not Available
Vendor-IBM CorporationLenovo Group Limited
Product-system_x3530_m4_firmwarebladecenter_hs23e_firmwareflex_system_x880_x6_firmwaresystem_x3100_m5_firmwaresystem_x3630_m4_firmwareflex_system_x222_m4_firmwaresystem_x3630_m4flex_system_x220flex_system_x220_m4_firmwaresystem_x3850_x6_firmwareflex_system_x280_x6system_x3650_m4_firmwareidataplex_dx360_m4_firmwarebladecentersystem_x3650_m4_hd_firmwaresystem_x3300_m4system_x3100_m4_firmwaresystem_x3250_m5system_x3650_m4_hdsystem_x3250_m4flex_system_x240_m4_firmwaresystem_x3750_m4_firmwareidataplex_dx360_m4_water_cooled_firmwareflex_system_x880_x6system_x3550_m4system_x3850_x6system_x3650_m4_bd_firmwaresystem_x3950_x6system_x3650_m4_bdbladecenter_hs23_firmwaresystem_x3750_m4system_x3550_m4_firmwareflex_system_x480_x6_firmwareidataplex_dx360_m4_flex_system_x222_m4system_x3950_x6_firmwaresystem_x3250_m4_firmwareflex_system_x480_x6system_x3100_m5system_x3500_m4_firmwaresystem_x3300_m4_firmwaresystem_x3500_m4system_x3100_m4system_x3250_m5_firmwaresystem_x3530_m4flex_system_x440_m4system_x3650_m4flex_system_x240_m4flex_system_x280_x6_firmwareflex_system_x440_m4_firmwareSystem x UEFI
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-4763
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.05% / 16.86%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 14:17
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure driver vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges to kernel.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Accessories and Display ManagerDisplay Control Centerdisplay_control_centeraccessories_and_display_manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-4575
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.01% / 0.24%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 14:42
Updated-03 Aug, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability due to improper write protection of UEFI variables was reported in the BIOS of some ThinkPad models could allow an attacker with physical or local access and elevated privileges the ability to bypass Secure Boot.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_p70_firmwarethinkpad_p50_firmwarethinkpad_t560thinkpad_p70thinkpad_x1_carbon_4th_gen_firmwarethinkpad_25thinkpad_25_firmwarethinkpad_t470thinkpad_x1_carbon_4th_genthinkpad_x260_firmwarethinkpad_t470s_firmwarethinkpad_p50thinkpad_t470sthinkpad_x270thinkpad_yoga_260_firmwarethinkpad_l560thinkpad_p50sthinkpad_t560_firmwarethinkpad_x270_firmwarethinkpad_x1_yoga_1st_genthinkpad_x1_yoga_1st_gen_firmwarethinkpad_l560_firmwarethinkpad_x260thinkpad_p50s_firmwarethinkpad_yoga_260thinkpad_t470_firmwareThinkPad BIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-4568
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7||HIGH
EPSS-0.04% / 13.60%
||
7 Day CHG~0.00%
Published-01 May, 2023 | 14:36
Updated-30 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-system_updateLenovo System Update
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-4569
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.05% / 15.48%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 20:59
Updated-08 Jan, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_hybrid_usb-c_with_usb-a_dockthinkpad_hybrid_usb-c_with_usb-a_dock_firmwareThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-2175
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.05% / 15.02%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 14:17
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure permissions vulnerability was reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM) that could allow a local attacker to escalate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Accessories and Display ManagerDisplay Control Centerdisplay_control_centeraccessories_and_display_manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3462
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 14.87%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 20:41
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_l15_gen_1thinkpad_x13_yoga_gen_1thinkpad_a275thinkpad_e15thinkpad_x1_yoga_gen_2thinkpad_p17_gen_1thinkpad_x380_yogathinkpad_a485thinkpad_25thinkpad_s2_yoga_gen_5thinkpad_e490thinkpad_s2_gen_2thinkpad_p53sthinkpad_t480sthinkpad_t570thinkpad_s1_gen_4thinkpad_x13_yoga_gen_2thinkpad_t14s_gen_1thinkpad_t490thinkpad_p51sthinkpad_e14_gen2thinkpad_t590thinkpad_x390_yogathinkpad_p53thinkpad_x13_gen_2ithinkpad_e575thinkpad_r14_gen_2thinkpad_e14thinkpad_x1_yoga_gen_6thinkpad_e570thinkpad_l590thinkpad_l13_yoga_gen_2thinkpad_l570thinkpad_x1_carbon_gen_5thinkpad_p14s_gen_1thinkpad_p52thinkpad_p43sthinkpad_a475thinkpad_l480thinkpad_e475power_management_driverthinkpad_x1_titanium_gen_1thinkpad_s5_gen_2thinkpad_e15_gen2thinkpad_t14_gen_2thinkpad_x1_yoga_gen_4thinkpad_13_gen_2thinkpad_e495thinkpad_s2_yoga_gen_6thinkpad_x1_carbon_gen_8thinkpad_x270thinkpad_l580thinkpad_a285thinkpad_e580thinkpad_p1_gen_3thinkpad_p1thinkpad_l14_gen_2thinkpad_x1_tablet_gen_2thinkpad_l13_gen_2thinkpad_x280thinkpad_p71thinkpad_t15_gen_1thinkpad_x390thinkpad_s3_gen_2thinkpad_p1_gen_2thinkpad_t15g_gen_1thinkpad_x1_yoga_gen_3thinkpad_11e_yoga_gen_6thinkpad_r14thinkpad_yoga_370thinkpad_l470thinkpad_x1_carbon_gen_7thinkpad_x395thinkpad_l15_gen_2thinkpad_t470thinkpad_p15v_gen_1thinkpad_l390thinkpad_e570cthinkpad_l380thinkpad_t580thinkpad_l14_gen_1thinkpad_l390_yogathinkpad_r480thinkpad_x1_extremethinkpad_e480thinkpad_l490thinkpad_11e_gen_5thinkpad_l380_yogathinkpad_p51thinkpad_l13thinkpad_t490sthinkpad_p73thinkpad_e470thinkpad_t15p_gen_1thinkpad_s2_gen_5thinkpad_x1_tablet_gen_3thinkpad_x1_extreme_gen_3thinkpad_l13_yoga_gen_1thinkpad_e590thinkpad_t470sthinkpad_p72thinkpad_t14_gen_1thinkpad_t15_gen_2thinkpad_t470pthinkpad_x12thinkpad_l13_gen_1thinkpad_x13_gen_1thinkpad_t14s_gen_2ithinkpad_e470cthinkpad_s2_gen_6thinkpad_x1_nano_gen_1thinkpad_e595thinkpad_x1_carbon_gen_9thinkpad_t495thinkpad_p14s_gen_2thinkpad_l13_yogathinkpad_p15s_gen_2thinkpad_p15_gen_1thinkpad_t480thinkpad_p15s_gen_1thinkpad_x1_extreme_2ndthinkpad_p52sthinkpad_x1_carbon_gen_6thinkpad_yoga_11e_gen_5thinkpad_x1_yoga_gen_5Power Management Driver for Windows 10
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-4706
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.3||HIGH
EPSS-0.07% / 21.86%
||
7 Day CHG~0.00%
Published-08 Nov, 2023 | 21:59
Updated-02 Aug, 2024 | 07:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability was reported in Lenovo preloaded devices deployed using Microsoft AutoPilot under a standard user account due to incorrect default privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-preload_directory1Lenovo Preload Directory
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-13155
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-8.5||HIGH
EPSS-0.01% / 2.01%
||
7 Day CHG~0.00%
Published-10 Dec, 2025 | 14:08
Updated-12 Dec, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Baiying Client
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-3432
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.05% / 15.36%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 16:27
Updated-01 Apr, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Action-Not Available
Vendor-Lenovo Group Limited
Product-ideapad_y700-14isk_firmwareideapad_y700-14iskBIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-3431
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.03% / 10.41%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 18:18
Updated-19 Sep, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Action-Not Available
Vendor-Lenovo Group Limited
Product-ideapad_5_pro-16ihu6_firmwarethinkbook_plus_g3_iap_firmwareyoga_slim_7-13itl05yoga_slim_7_carbon_13itl5thinkbook_16_g4\+_arad330-10iglideapad_5_pro-16ihu6yoga_slim_7-13itl05_firmwareyoga_duet_7-13itl6-lteyoga_slim_7-13acn05_firmwareyoga_slim_7_carbon_13itl5_firmwareslim_7_16arh7_firmwareyoga_duet_7-13iml05_firmwarethinkbook_14_g4\+_araideapad_slim_7_pro_16ach6_firmwarethinkbook_13x_itgthinkbook_16_g4\+_iapthinkbook_13x_itg_firmwareideapad_5_pro_16arh7yoga_slim_7_pro_16ach6ideapad_creator_5-16ach6_firmwarethinkbook_plus_g3_iapd330-10igl_firmwareideapad_duet_3_10igl5_firmwareyoga_slim_7_pro_16arh7yoga_slim_7-13acn05ideapad_creator_5-16ach6thinkbook_plus_g2_itg_firmwarethinkbook_plus_g2_itgthinkbook_16_g4\+_iap_firmwareyoga_slim_7_pro_16ach6_firmwareyoga_duet_7-13itl6_firmwareyoga_duet_7-13iml05ideapad_5_pro_16arh7_firmwarethinkbook_16_g4\+_ara_firmwares540-15iml_firmwareideapad_slim_7_pro_16ach6slim_7_16arh7thinkbook_16p_nx_arh_firmwareyoga_duet_7-13itl6-lte_firmwareyoga_slim_7_pro_16arh7_firmwareyoga_duet_7-13itl6thinkbook_14_g4\+_iaps540-15imlideapad_5_pro-16ach6thinkbook_14_g4\+_iap_firmwarethinkbook_14_g4\+_ara_firmwareideapad_5_pro-16ach6_firmwareideapad_duet_3_10igl5thinkbook_16p_nx_arhBIOSnotebook
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-3430
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.05% / 15.36%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 16:11
Updated-02 Apr, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkbook_14_g2_are_firmwared330-10iglthinkbook_14_g3_acl_firmwareyoga_creator_7-15imh05thinkbook_14s_yoga_itl_firmwareideapad_slim_7-14iil05ideapad_5_pro_16iah7_firmwareideapad_slim_7-14iil05_firmwareyoga_slim_7-15imh05thinkbook_14_g4\+_arayoga_slim_7-15iil05thinkbook_16_g4\+_iapthinkbook_15_g3_aclyoga_creator_7-15imh05_firmwarethinkbook_15p_imp_firmwared330-10igl_firmwarethinkbook_16p_g3_arhthinkbook_15_g4_abaslim_7-14are05thinkbook_plus_g2_itgyoga_slim_7-15imh05_firmwareideapad_5_pro_16arh7_firmwarethinkbook_16_g4\+_ara_firmwareyoga_slim_7-14itl05_firmwareideapad_5_pro_16iah7thinkbook_15p_impthinkbook_14s_yoga_itlyoga_slim_7-15itl05thinkbook_16p_g3_arh_firmwareslim_7-14are05_firmwareyoga_slim_7_pro_16arh7_firmwarethinkbook_14_g4\+_iapyoga_duet_7-13itl6thinkbook_14_g2_areyoga_slim_7-14are05slim_7-15imh05thinkbook_14_g4\+_ara_firmwareslim_7_16arh7ideapad_duet_3_10igl5thinkbook_14p_g3_arhthinkbook_16p_nx_arhthinkbook_15p_g2_ithslim_7-15itl05_firmwarethinkbook_plus_g3_iap_firmwarethinkbook_15_g2_itlthinkbook_14_g2_itlthinkbook_16_g4\+_arayoga_slim_7-14iil05ideapad_slim_7-15iil05thinkbook_15_g3_itlyoga_duet_7-13itl6-lteyoga_slim_7-14iil05_firmwareslim_7_16arh7_firmwareyoga_duet_7-13iml05_firmwarethinkbook_13x_itgideapad_5_pro_16arh7thinkbook_13x_itg_firmwareyoga_slim_7-15iil05_firmwarethinkbook_15_g2_areideapad_slim_7-14itl05_firmwarethinkbook_plus_g3_iapideapad_slim_7-14itl05thinkbook_15_g3_itl_firmwarethinkbook_15p_g2_ith_firmwarethinkbook_14_g3_aclideapad_duet_3_10igl5_firmwareyoga_slim_7_pro_16arh7yoga_slim_7-14are05_firmwarethinkbook_14p_g3_arh_firmwarethinkbook_plus_g2_itg_firmwarethinkbook_14_g2_itl_firmwarethinkbook_16_g4\+_iap_firmwarethinkbook_15_g2_are_firmwareyoga_duet_7-13itl6_firmwareslim_7-15itl05thinkbook_15_g2_itl_firmwareslim_7-15imh05_firmwareyoga_duet_7-13iml05yoga_slim_7-15itl05_firmwarethinkbook_14_g3_itl_firmwarethinkbook_15_g3_acl_firmwarethinkbook_16p_nx_arh_firmwareideapad_slim_7-15iil05_firmwareyoga_duet_7-13itl6-lte_firmwarethinkbook_15_gd_aba_firmwareyoga_slim_7-14itl05thinkbook_14_g4\+_iap_firmwarethinkbook_14_g3_itlBIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-0886
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-8.5||HIGH
EPSS-0.07% / 20.66%
||
7 Day CHG+0.04%
Published-17 Jul, 2025 | 19:16
Updated-17 Jul, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect permissions vulnerability was reported in Elliptic Labs Virtual Lock Sensor that could allow a local, authenticated user to escalate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Elliptic Human Presence Detection Device Driver for ThinkPad P14s Gen 4 (Type 21K5, 21K6)Elliptic Human Presence Detection Device Driver for ThinkPad P16s Gen 2 (Type 21K9, 21KA)lliptic Human Presence Detection Driver for P16s Gen 3 (Type 21KS, 21KT)Elliptic Virtual Lock Sensor Service for T14 Gen 4 (Type 21HD, 21HE)Elliptic Virtual Lock Sensor Service for ThinkPad X1 Carbon 12th Gen (Type 21KC, 21KD)Elliptic Virtual Lock Sensor Service for P16s Gen 2 (Type 21HK, 21HL)Elliptic Human Presence Detection Device Driver for ThinkPad P14s Gen 5 (Type 21ME, 21MF)lliptic Human Presence Detection Device Driver for T14 Gen 5 (Type 21MC, 21MD)Elliptic Human Presence detection Device Driver for ThinkPad P16 Gen 2 (Type 21FA, 21FB)Elliptic Human Presence Detection Driver for ThinkPad P14s Gen 5 (Type 21G2, 21G3)Elliptic Human Presence Detection Device Driver for T16 Gen 3 (Type 21MN, 21MQ)Elliptic Virtual Lock Sensor for ThinkPad X13 Gen 4 (Type 21EX, 21EY)Elliptic Human Presence Detection Driver for ThinkPad P16v Gen 1 (Type 21FE, 21FF)Elliptic Human Presence Detection Device Driver for ThinkPad P16v Gen 2 (Type 21KX, 21KY)Elliptic Virtual Lock Sensor Service For ThinkPad P1 Gen 6 (Type 21FV, 21FW)Elliptic Human Presence Detection Device Driver for T14 Gen 4 (Type 21K3, 21K4)Elliptic Virtual Lock Sensor for X13 Yoga Gen 4 (Type 21F2, 21F3)Elliptic Human Presence Detection driver for ThinkPad T14s Gen 6 (Type 21M1, 21M2)Elliptic Virtual Lock Sensor Service for P14s Gen 4 (Type 21HF, 21HG)Elliptic Human Presence Detection Device Driver for ThinkPad P16v Gen 1 (Type 21FC, 21FD)Elliptic Virtual Lock Sensor Service for ThinkPad T14 Gen 3 (Type 21CF, 21CG))Elliptic Virtual Lock Sensor Service for T14s Gen 4 (Type 21F6, 21F7)Elliptic Human Presence Detection Device Driver for T16 Gen 2 (Type 21K7 21K8)Elliptic Human Presence Detection Device Driver for T14 Gen 5 (Type 21ML, 21MM)Elliptic Human Presence Detection Driver for ThinkPad X13 Gen 4 (Type 21J3, 21J4)Elliptic Human Presence Detection Device Driver for X13 Gen 5 (Type 21LU, 21LV)Elliptic Human Presence Detection Device Driver for X13 2-in-1 Gen 5 (Type 21LW, 21LX)Elliptic Human Presence Detection Device Driver for T14s Gen 5 (Type 21LS, 21LT)Elliptic Human Presence Detection Driver for ThinkPad P1 Gen 7 (Type 21KV, 21KW)Elliptic Virtual Lock Sensor Service for X1 2-in-1 Gen 9 (Type 21KE, 21KF)Elliptic Virtual Lock Sensor Service for T16 Gen 2 (Type 21HH, 21HJ)Elliptic Virtual Lock Sensor Service for ThinkPad T14 Gen 3 (Type 21AH, 21AJ)Elliptic Human Presence Detection Device Driver for ThinkPad T14s Gen 4 (Type 21F8, 21F9)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8346
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 11.42%
||
7 Day CHG~0.00%
Published-15 Sep, 2020 | 14:20
Updated-17 Sep, 2024 | 04:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-system_interface_foundationSystem Interface Foundation
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8357
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 13.32%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 16:15
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-2502
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-8.5||HIGH
EPSS-0.06% / 18.36%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 19:14
Updated-26 Feb, 2026 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper default permissions vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPC Manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-42774
Matching Score-4
Assigner-OpenHarmony
ShareView Details
Matching Score-4
Assigner-OpenHarmony
CVSS Score-6.2||MEDIUM
EPSS-0.02% / 7.00%
||
7 Day CHG~0.00%
Published-20 Nov, 2023 | 11:46
Updated-09 Sep, 2024 | 12:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Liteos-A has a incorrect default permissions vulnerability

in OpenHarmony v3.2.2 and prior versions allow a local attacker get confidential information through incorrect default permissions.

Action-Not Available
Vendor-OpenAtom FoundationOpenHarmony (OpenAtom Foundation)
Product-openharmonyOpenHarmony
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-13867
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 21.16%
||
7 Day CHG~0.00%
Published-05 Jun, 2020 | 17:30
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files).

Action-Not Available
Vendor-targetcli-fb_projectn/aFedora Project
Product-targetcli-fbfedoran/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-24413
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 0.88%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 17:21
Updated-19 Feb, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Icinga has insecure permission of %ProgramData%\icinga2\var on Windows

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.

Action-Not Available
Vendor-icingaIcingaMicrosoft Corporation
Product-icingawindowsicinga2
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-42953
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 6.82%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 06:41
Updated-04 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 17.1, watchOS 10.1, macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-tvoswatchosipad_osmacosiphone_oswatchOSmacOStvOSiOS and iPadOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-27500
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 11.74%
||
7 Day CHG~0.00%
Published-18 Aug, 2022 | 19:52
Updated-05 May, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions for the Intel(R) Support Android application before 21.07.40 may allow an authenticated user to potentially enable information disclosure via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-supportIntel(R) Support Android application
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-42945
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.07% / 22.38%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 06:41
Updated-04 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1. An app may gain unauthorized access to Bluetooth.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOSmacos
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-284
Improper Access Control
CVE-2022-25804
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 10.30%
||
7 Day CHG~0.00%
Published-09 Jun, 2022 | 00:45
Updated-03 Aug, 2024 | 04:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. Insecure permissions for the serverconfig registry key (under JavaSoft\Prefs\de\igel\rm\config in HKEY_LOCAL_MACHINE\SOFTWARE) allow an unprivileged local attacker to read the encrypted dbuser and dbpassword values for the UMS superuser.

Action-Not Available
Vendor-igeln/a
Product-universal_management_suiten/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-4065
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.33%
||
7 Day CHG~0.00%
Published-26 Sep, 2023 | 13:25
Updated-18 Mar, 2026 | 02:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Operator: plaintext password in operator log

A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_container_platformjboss_a-mqjboss_middlewareenterprise_linuxRed Hat AMQ Broker 7RHEL-8 based Middleware Containers
CWE ID-CWE-117
Improper Output Neutralization for Logs
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-25815
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 3.15%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 13:46
Updated-03 Aug, 2024 | 04:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

Action-Not Available
Vendor-Google LLCSamsung Electronics
Product-androidSamsung Mobile Devices
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-40076
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 1.88%
||
7 Day CHG~0.00%
Published-04 Dec, 2023 | 22:40
Updated-29 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-22424
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 8.27%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 17:35
Updated-16 Sep, 2024 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information from the TLS key file due to incorrect file permissions. IBM X-Force ID: 223597.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-qradar_security_information_and_event_managerlinux_kernelQRadar SIEM
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-21704
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.14% / 33.99%
||
7 Day CHG~0.00%
Published-19 Jan, 2022 | 00:00
Updated-23 Apr, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Default Permissions in log4js-node

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Action-Not Available
Vendor-log4js_projectlog4js-nodeDebian GNU/Linux
Product-log4jsdebian_linuxlog4js-node
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-21013
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-6.9||MEDIUM
EPSS-0.02% / 3.91%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 05:04
Updated-16 Apr, 2026 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-galaxy_wearableGalaxy Wearable
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-20448
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 2.26%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 00:00
Updated-01 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In buzzBeepBlinkLocked of NotificationManagerService.java, there is a possible way to share data across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-237540408

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-13193
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.72%
||
7 Day CHG~0.00%
Published-17 Nov, 2025 | 17:03
Updated-18 Nov, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libvirt: information disclosure via world-readable vm snapshots

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-0294
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 2.03%
||
7 Day CHG~0.00%
Published-18 Sep, 2020 | 15:22
Updated-04 Aug, 2024 | 05:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In bindWallpaperComponentLocked of WallpaperManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-154915372

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-21015
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-6.8||MEDIUM
EPSS-0.01% / 1.01%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 04:56
Updated-13 May, 2026 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-androidSamsung Mobile Devices
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-46834
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-5.5||MEDIUM
EPSS-0.02% / 6.95%
||
7 Day CHG~0.00%
Published-20 Sep, 2022 | 19:45
Updated-28 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. Affected product versions include:JAD-AL50 versions 102.0.0.225(C00E220R3P4).

Action-Not Available
Vendor-n/aHuawei Technologies Co., Ltd.
Product-jad-al50_firmwarejad-al50JAD-AL50
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2013-4281
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 9.86%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-09 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-openshiftRed Hat Openshift
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-44215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 21.97%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 14:43
Updated-04 Aug, 2024 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact.

Action-Not Available
Vendor-northern.techn/a
Product-cfenginen/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2013-1425
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 26.58%
||
7 Day CHG~0.00%
Published-07 Nov, 2019 | 20:40
Updated-06 Aug, 2024 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ldap-git-backup before 1.0.4 exposes password hashes due to incorrect directory permissions.

Action-Not Available
Vendor-ldap_git_backup_projectldap-git-backupDebian GNU/Linux
Product-ldap_git_backupdebian_linuxldap-git-backup
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found