Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-8098

Summary
Assigner-lenovo
Assigner Org ID-da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At-18 Aug, 2025 | 20:05
Updated At-20 Aug, 2025 | 03:56
Rejected At-
Credits

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:lenovo
Assigner Org ID:da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At:18 Aug, 2025 | 20:05
Updated At:20 Aug, 2025 | 03:56
Rejected At:
▼CVE Numbering Authority (CNA)

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

Affected Products
Vendor
Lenovo Group LimitedLenovo
Product
PC Manager
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.120.7041 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-276CWE-276: Incorrect Default Permissions
Type: CWE
CWE ID: CWE-276
Description: CWE-276: Incorrect Default Permissions
Metrics
VersionBase scoreBase severityVector
4.08.5HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Lenovo PC Manager to version 5.1.120.7041 or later.

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://iknow.lenovo.com.cn/detail/430658
N/A
Hyperlink: https://iknow.lenovo.com.cn/detail/430658
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@lenovo.com
Published At:18 Aug, 2025 | 20:15
Updated At:18 Aug, 2025 | 20:16

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.5HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-276Secondarypsirt@lenovo.com
CWE ID: CWE-276
Type: Secondary
Source: psirt@lenovo.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://iknow.lenovo.com.cn/detail/430658psirt@lenovo.com
N/A
Hyperlink: https://iknow.lenovo.com.cn/detail/430658
Source: psirt@lenovo.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

411Records found
CVE-2024-33581
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.04% / 10.71%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 15:17
Updated-15 Oct, 2024 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A DLL hijack vulnerability was reported in Lenovo PC Manager AI intelligent scenario that could allow a local attacker to execute code with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-PC Manager AI intelligent scenariopcmanager
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2024-33582
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.04% / 10.71%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 15:17
Updated-15 Oct, 2024 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A DLL hijack vulnerability was reported in Lenovo Service Framework that could allow a local attacker to execute code with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Service Frameworkservice_framework
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2022-3701
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.03% / 7.66%
||
7 Day CHG~0.00%
Published-27 Oct, 2023 | 19:38
Updated-09 Sep, 2024 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-system_update_pluginhardware_scan_pluginhardware_scan_addinVantage SystemUpdate Pluginvantage_systemupdate_plugin
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE ID-CWE-269
Improper Privilege Management
CVE-2022-3699
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-84.02% / 99.26%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 20:48
Updated-17 Sep, 2024 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-diagnosticshardwarescan_pluginhardwarescan_addinDiagnosticsHardwareScanPlugin
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-4762
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.07% / 21.52%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 17:04
Updated-16 Dec, 2024 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper validation vulnerability was reported in the firmware update mechanism of LADM and LDCC that could allow a local attacker to escalate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Accessories and Display ManagerDisplay Control Center
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-6198
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-7.8||HIGH
EPSS-0.03% / 6.28%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 20:30
Updated-02 Aug, 2024 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges.

Action-Not Available
Vendor-Lenovo Group Limited
Product-PC Managerpcmanager
CWE ID-CWE-287
Improper Authentication
CVE-2022-3430
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.04% / 10.96%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 16:11
Updated-02 Apr, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkbook_14_g2_are_firmwared330-10iglthinkbook_14_g3_acl_firmwareyoga_creator_7-15imh05thinkbook_14s_yoga_itl_firmwareideapad_slim_7-14iil05ideapad_5_pro_16iah7_firmwareideapad_slim_7-14iil05_firmwareyoga_slim_7-15imh05thinkbook_14_g4\+_arayoga_slim_7-15iil05thinkbook_16_g4\+_iapthinkbook_15_g3_aclyoga_creator_7-15imh05_firmwarethinkbook_15p_imp_firmwared330-10igl_firmwarethinkbook_16p_g3_arhthinkbook_15_g4_abaslim_7-14are05thinkbook_plus_g2_itgyoga_slim_7-15imh05_firmwareideapad_5_pro_16arh7_firmwarethinkbook_16_g4\+_ara_firmwareyoga_slim_7-14itl05_firmwareideapad_5_pro_16iah7thinkbook_15p_impthinkbook_14s_yoga_itlyoga_slim_7-15itl05thinkbook_16p_g3_arh_firmwareslim_7-14are05_firmwareyoga_slim_7_pro_16arh7_firmwarethinkbook_14_g4\+_iapyoga_duet_7-13itl6thinkbook_14_g2_areyoga_slim_7-14are05slim_7-15imh05thinkbook_14_g4\+_ara_firmwareslim_7_16arh7ideapad_duet_3_10igl5thinkbook_14p_g3_arhthinkbook_16p_nx_arhthinkbook_15p_g2_ithslim_7-15itl05_firmwarethinkbook_plus_g3_iap_firmwarethinkbook_15_g2_itlthinkbook_14_g2_itlthinkbook_16_g4\+_arayoga_slim_7-14iil05ideapad_slim_7-15iil05thinkbook_15_g3_itlyoga_duet_7-13itl6-lteyoga_slim_7-14iil05_firmwareslim_7_16arh7_firmwareyoga_duet_7-13iml05_firmwarethinkbook_13x_itgideapad_5_pro_16arh7thinkbook_13x_itg_firmwareyoga_slim_7-15iil05_firmwarethinkbook_15_g2_areideapad_slim_7-14itl05_firmwarethinkbook_plus_g3_iapideapad_slim_7-14itl05thinkbook_15_g3_itl_firmwarethinkbook_15p_g2_ith_firmwarethinkbook_14_g3_aclideapad_duet_3_10igl5_firmwareyoga_slim_7_pro_16arh7yoga_slim_7-14are05_firmwarethinkbook_14p_g3_arh_firmwarethinkbook_plus_g2_itg_firmwarethinkbook_14_g2_itl_firmwarethinkbook_16_g4\+_iap_firmwarethinkbook_15_g2_are_firmwareyoga_duet_7-13itl6_firmwareslim_7-15itl05thinkbook_15_g2_itl_firmwareslim_7-15imh05_firmwareyoga_duet_7-13iml05yoga_slim_7-15itl05_firmwarethinkbook_14_g3_itl_firmwarethinkbook_15_g3_acl_firmwarethinkbook_16p_nx_arh_firmwareideapad_slim_7-15iil05_firmwareyoga_duet_7-13itl6-lte_firmwarethinkbook_15_gd_aba_firmwareyoga_slim_7-14itl05thinkbook_14_g4\+_iap_firmwarethinkbook_14_g3_itlBIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-3432
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.07% / 22.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 16:27
Updated-01 Apr, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Action-Not Available
Vendor-Lenovo Group Limited
Product-ideapad_y700-14isk_firmwareideapad_y700-14iskBIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8346
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 10.10%
||
7 Day CHG~0.00%
Published-15 Sep, 2020 | 14:20
Updated-17 Sep, 2024 | 04:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-system_interface_foundationSystem Interface Foundation
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8357
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 12.20%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 16:15
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-1109
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 20.49%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 19:23
Updated-02 Apr, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service.

Action-Not Available
Vendor-Lenovo Group Limited
Product-leyunLeyun
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3720
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 12.53%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 22:05
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.

Action-Not Available
Vendor-Lenovo Group Limited
Product-legion_phone2_pro_\(l70081\)legion_phone_pro_\(l79031\)firmwarelegion_phone_pro_\(l79031\)legion_phone2_pro_\(l70081\)_firmwareLegion Phone Pro (L79031)Legion Phone2 Pro (L70081)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29058
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 18.67%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 20:47
Updated-30 Jan, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinksystem_sn550thinksystem_sr530_firmwarethinkagile_hx3375_firmwarethinksystem_sr570_firmwarethinkagile_hx5530thinksystem_sr158thinkagile_hx3721thinksystem_sd630_v2_firmwarethinksystem_sr665_firmwarethinksystem_sd650thinkagile_hx3520-g_firmwarethinkagile_hx3521-g_firmwarethinkagile_mx3531_h_firmwarethinksystem_st250thinkagile_vx1320_firmwarethinksystem_sr850thinksystem_sr158_firmwarethinkagile_vx3320_firmwarethinkagile_hx7530_firmwarethinkagile_hx2330thinkagile_vx7820thinksystem_sn850thinkagile_hx5520thinkagile_vx7530_firmwarethinkedge_se450_thinkagile_vx3320thinkagile_vx5520_firmwarethinksystem_st550_firmwarethinksystem_sr630thinkagile_mx1021_on_se350_firmwarethinksystem_sr950thinkagile_vx7320_nthinksystem_st658_v2thinkagile_hx1521-r_firmwarethinkagile_hx7820thinkagile_vx2320thinkagile_vx7520_nthinkagile_hx7520_firmwarethinkagile_vx_2u4nthinksystem_sr860_firmwarethinksystem_sr650_v2_firmwarethinkagile_hx5520-cthinksystem_sr630_v2thinkagile_hx_enclosure_firmwarethinkagile_hx7820_firmwarethinkagile_hx3720thinksystem_sd530thinksystem_sr860_v2thinksystem_sn850_firmwarethinkagile_mx1021_on_se350thinkagile_vx_4u_firmwarethinksystem_st650_v2thinksystem_sr258_v2thinkagile_hx7521_firmwarethinkagile_hx1021thinkagile_hx3375thinkagile_vx2320_firmwarethinksystem_sr250_v2_firmwarethinkagile_vx3330thinkagile_mx3330-h_firmwarethinkagile_hx2720-e_firmwarethinkagile_hx3331_firmwarethinksystem_st250_firmwarethinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_sr570thinksystem_sd650-n_v2thinkagile_vx7520thinkagile_hx3321_firmwarethinksystem_sr670_v2_firmwarethinksystem_sr670_v2thinkagile_vx_4uthinkagile_mx3331-f_firmwarethinkagile_hx2320-e_firmwarethinkagile_hx1331thinkagile_hx3331thinkagile_hx7521thinkagile_vx5520thinksystem_sr550thinkagile_mx3330-hthinkagile_vx7530thinkagile_vx3520-g_firmwarethinksystem_se350_firmwarethinkagile_mx3530-hthinksystem_sd650_firmwarethinksystem_st250_v2thinkagile_hx2321_firmwarethinkagile_hx2321thinkagile_hx3721_firmwarethinkagile_mx3330-f_firmwarethinksystem_sr860_v2_firmwarethinksystem_sr850p_firmwarethinksystem_st258thinkagile_hx1320thinkagile_hx1321_firmwarethinksystem_sr850pthinkagile_hx1320_firmwarethinksystem_sn550_v2thinkstation_p920_firmwarethinksystem_sr258_v2_firmwarethinkagile_hx3320_firmwarethinkagile_hx3521-gthinkagile_hx2331_firmwarethinkagile_mx3530_f_firmwarethinksystem_st650_v2_firmwarethinkagile_mx3330-fthinksystem_st258_v2_firmwarethinksystem_st258_firmwarethinkagile_hx3376_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_vx7531_firmwarethinkagile_hx7821_firmwarethinksystem_sr850_firmwarethinkagile_vx3330_firmwarethinksystem_st550thinkagile_hx7531thinkagile_vx3520-gthinksystem_st658_v2_firmwarethinkagile_vx7531thinkagile_vx_2u4n_firmwarethinksystem_sr670_firmwarethinksystem_sr150thinkagile_vx3720thinksystem_sr850_v2_firmwarethinksystem_sr250_v2thinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3530-h_firmwarethinkagile_hx_enclosurethinkagile_hx1321thinksystem_st250_v2_firmwarethinkagile_hx7520thinkagile_hx3330thinkagile_mx3331-h_firmwarethinkedge_se450__firmwarethinksystem_sr645_v3_firmwarethinkagile_hx2720-ethinkagile_hx1331_firmwarethinksystem_sr650_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinkagile_hx3321thinkagile_hx7530thinksystem_sr250thinksystem_sr530thinkagile_hx5520_firmwarethinksystem_sr850_v2thinksystem_se350thinkagile_mx1020_firmwarethinkagile_mx1020thinksystem_sr665thinksystem_sr150_firmwarethinkagile_hx3520-gthinkagile_vx7320_n_firmwarethinksystem_sr860thinkagile_hx7821thinkagile_hx3720_firmwarethinkagile_hx5521_firmwarethinksystem_sr645_firmwarethinkagile_hx1021_firmwarethinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinkagile_vx7820_firmwarethinkagile_hx5520-c_firmwarethinksystem_sd530_firmwarethinkagile_vx_1sethinkagile_mx3331-hthinkagile_hx5521-c_firmwarethinksystem_sd650_v2thinkstation_p920thinksystem_sr650_v2thinkagile_vx7330thinksystem_sn550_firmwarethinkagile_hx5521-cthinksystem_sr250_firmwarethinksystem_sr258_firmwarethinksystem_sr590_firmwarethinkagile_mx3530_fthinkagile_hx1520-rthinksystem_sd630_v2thinkagile_hx1521-rthinkagile_hx1520-r_firmwarethinkagile_hx3320thinkagile_vx3720_firmwarethinkagile_hx5531thinkagile_vx_1se_firmwarethinksystem_sr630_firmwarethinkagile_vx7520_n_firmwarethinksystem_sr550_firmwarethinkagile_hx2331thinkagile_hx2320-ethinkagile_vx5530thinkagile_mx3331-fthinkagile_hx7531_firmwarethinkagile_vx1320thinksystem_sr645thinksystem_sr670thinksystem_sr590thinkagile_vx3331_firmwarethinkagile_vx7520_firmwarethinksystem_sr950_firmwarethinkagile_vx2330_firmwarethinkagile_vx3530-g_firmwarethinksystem_sr630_v2_firmwarethinksystem_sr665_v3thinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_mx3531_hthinkagile_vx3530-gthinkagile_vx5530_firmwarethinksystem_sr650thinksystem_sr258thinkagile_hx5521thinkagile_mx3531-fthinkagile_mx3531-f_firmwareXClarity Controller
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-29057
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-7.3||HIGH
EPSS-0.12% / 31.28%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 20:53
Updated-30 Jan, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinksystem_sn550thinksystem_sr530_firmwarethinkagile_hx3375_firmwarethinksystem_sr570_firmwarethinkagile_hx5530thinksystem_sr158thinkagile_hx3721thinksystem_sd630_v2_firmwarethinksystem_sr665_firmwarethinksystem_sd650thinkagile_hx3520-g_firmwarethinkagile_hx3521-g_firmwarethinkagile_mx3531_h_firmwarethinksystem_st250thinkagile_vx1320_firmwarethinksystem_sr850thinksystem_sr158_firmwarethinkagile_vx3320_firmwarethinkagile_hx7530_firmwarethinkagile_hx2330thinkagile_vx7820thinksystem_sn850thinkagile_hx5520thinkagile_vx7530_firmwarethinkedge_se450_thinkagile_vx3320thinkagile_vx5520_firmwarethinksystem_st550_firmwarethinksystem_sr630thinkagile_mx1021_on_se350_firmwarethinksystem_sr950thinkagile_vx7320_nthinksystem_st658_v2thinkagile_hx1521-r_firmwarethinkagile_hx7820thinkagile_vx2320thinkagile_vx7520_nthinkagile_hx7520_firmwarethinkagile_vx_2u4nthinksystem_sr860_firmwarethinksystem_sr650_v2_firmwarethinkagile_hx5520-cthinksystem_sr630_v2thinkagile_hx_enclosure_firmwarethinkagile_hx7820_firmwarethinkagile_hx3720thinksystem_sd530thinksystem_sr860_v2thinksystem_sn850_firmwarethinkagile_mx1021_on_se350thinkagile_vx_4u_firmwarethinksystem_st650_v2thinksystem_sr258_v2thinkagile_hx7521_firmwarethinkagile_hx1021thinkagile_hx3375thinkagile_vx2320_firmwarethinksystem_sr250_v2_firmwarethinkagile_vx3330thinkagile_mx3330-h_firmwarethinkagile_hx2720-e_firmwarethinkagile_hx3331_firmwarethinksystem_st250_firmwarethinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_sr570thinksystem_sd650-n_v2thinkagile_vx7520thinkagile_hx3321_firmwarethinksystem_sr670_v2_firmwarethinksystem_sr670_v2thinkagile_vx_4uthinkagile_mx3331-f_firmwarethinkagile_hx2320-e_firmwarethinkagile_hx1331thinkagile_hx3331thinkagile_hx7521thinkagile_vx5520thinksystem_sr550thinkagile_mx3330-hthinkagile_vx7530thinkagile_vx3520-g_firmwarethinksystem_se350_firmwarethinkagile_mx3530-hthinksystem_sd650_firmwarethinksystem_st250_v2thinkagile_hx2321_firmwarethinkagile_hx2321thinkagile_hx3721_firmwarethinkagile_mx3330-f_firmwarethinksystem_sr860_v2_firmwarethinksystem_sr850p_firmwarethinksystem_st258thinkagile_hx1320thinkagile_hx1321_firmwarethinksystem_sr850pthinkagile_hx1320_firmwarethinksystem_sn550_v2thinkstation_p920_firmwarethinksystem_sr258_v2_firmwarethinkagile_hx3320_firmwarethinkagile_hx3521-gthinkagile_hx2331_firmwarethinkagile_mx3530_f_firmwarethinksystem_st650_v2_firmwarethinkagile_mx3330-fthinksystem_st258_v2_firmwarethinksystem_st258_firmwarethinkagile_hx3376_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_vx7531_firmwarethinkagile_hx7821_firmwarethinksystem_sr850_firmwarethinkagile_vx3330_firmwarethinksystem_st550thinkagile_hx7531thinkagile_vx3520-gthinksystem_st658_v2_firmwarethinkagile_vx7531thinkagile_vx_2u4n_firmwarethinksystem_sr670_firmwarethinksystem_sr150thinkagile_vx3720thinksystem_sr850_v2_firmwarethinksystem_sr250_v2thinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3530-h_firmwarethinkagile_hx_enclosurethinkagile_hx1321thinksystem_st250_v2_firmwarethinkagile_hx7520thinkagile_hx3330thinkagile_mx3331-h_firmwarethinkedge_se450__firmwarethinksystem_sr645_v3_firmwarethinkagile_hx2720-ethinkagile_hx1331_firmwarethinksystem_sr650_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinkagile_hx3321thinkagile_hx7530thinksystem_sr250thinksystem_sr530thinkagile_hx5520_firmwarethinksystem_sr850_v2thinksystem_se350thinkagile_mx1020_firmwarethinkagile_mx1020thinksystem_sr665thinksystem_sr150_firmwarethinkagile_hx3520-gthinkagile_vx7320_n_firmwarethinksystem_sr860thinkagile_hx7821thinkagile_hx3720_firmwarethinkagile_hx5521_firmwarethinksystem_sr645_firmwarethinkagile_hx1021_firmwarethinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinkagile_vx7820_firmwarethinkagile_hx5520-c_firmwarethinksystem_sd530_firmwarethinkagile_vx_1sethinkagile_mx3331-hthinkagile_hx5521-c_firmwarethinksystem_sd650_v2thinkstation_p920thinksystem_sr650_v2thinkagile_vx7330thinksystem_sn550_firmwarethinkagile_hx5521-cthinksystem_sr250_firmwarethinksystem_sr258_firmwarethinksystem_sr590_firmwarethinkagile_mx3530_fthinkagile_hx1520-rthinksystem_sd630_v2thinkagile_hx1521-rthinkagile_hx1520-r_firmwarethinkagile_hx3320thinkagile_vx3720_firmwarethinkagile_hx5531thinkagile_vx_1se_firmwarethinksystem_sr630_firmwarethinkagile_vx7520_n_firmwarethinksystem_sr550_firmwarethinkagile_hx2331thinkagile_hx2320-ethinkagile_vx5530thinkagile_mx3331-fthinkagile_hx7531_firmwarethinkagile_vx1320thinksystem_sr645thinksystem_sr670thinksystem_sr590thinkagile_vx3331_firmwarethinkagile_vx7520_firmwarethinksystem_sr950_firmwarethinkagile_vx2330_firmwarethinkagile_vx3530-g_firmwarethinksystem_sr630_v2_firmwarethinksystem_sr665_v3thinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_mx3531_hthinkagile_vx3530-gthinkagile_vx5530_firmwarethinksystem_sr650thinksystem_sr258thinkagile_hx5521thinkagile_mx3531-fthinkagile_mx3531-f_firmwareXClarity Controller
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3722
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5||MEDIUM
EPSS-0.03% / 8.22%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 20:30
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-3451
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 12.20%
||
7 Day CHG~0.00%
Published-27 Apr, 2021 | 15:27
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow configuration files to be written to non-standard locations.

Action-Not Available
Vendor-Lenovo Group Limited
Product-pcmanagerPCManager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-4575
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-6.7||MEDIUM
EPSS-0.01% / 0.21%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 14:42
Updated-03 Aug, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability due to improper write protection of UEFI variables was reported in the BIOS of some ThinkPad models could allow an attacker with physical or local access and elevated privileges the ability to bypass Secure Boot.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkpad_p70_firmwarethinkpad_p50_firmwarethinkpad_t560thinkpad_p70thinkpad_x1_carbon_4th_gen_firmwarethinkpad_25thinkpad_25_firmwarethinkpad_t470thinkpad_x1_carbon_4th_genthinkpad_x260_firmwarethinkpad_t470s_firmwarethinkpad_p50thinkpad_t470sthinkpad_x270thinkpad_yoga_260_firmwarethinkpad_l560thinkpad_p50sthinkpad_t560_firmwarethinkpad_x270_firmwarethinkpad_x1_yoga_1st_genthinkpad_x1_yoga_1st_gen_firmwarethinkpad_l560_firmwarethinkpad_x260thinkpad_p50s_firmwarethinkpad_yoga_260thinkpad_t470_firmwareThinkPad BIOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-5474
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 6.99%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 15:15
Updated-15 Nov, 2024 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

Action-Not Available
Vendor-Lenovo Group Limited
Product-dolby_vision_provisioningDolby Vision Provisioning softwaredolby_vision_provisioning_software
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-9085
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-4.9||MEDIUM
EPSS-0.14% / 34.31%
||
7 Day CHG~0.00%
Published-16 Nov, 2018 | 14:00
Updated-05 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing System x Flash Memory Write Protection Lock Bit

A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.

Action-Not Available
Vendor-IBM CorporationLenovo Group Limited
Product-system_x3530_m4_firmwarebladecenter_hs23e_firmwareflex_system_x880_x6_firmwaresystem_x3100_m5_firmwaresystem_x3630_m4_firmwareflex_system_x222_m4_firmwaresystem_x3630_m4flex_system_x220flex_system_x220_m4_firmwaresystem_x3850_x6_firmwareflex_system_x280_x6system_x3650_m4_firmwareidataplex_dx360_m4_firmwarebladecentersystem_x3650_m4_hd_firmwaresystem_x3300_m4system_x3100_m4_firmwaresystem_x3250_m5system_x3650_m4_hdsystem_x3250_m4flex_system_x240_m4_firmwaresystem_x3750_m4_firmwareidataplex_dx360_m4_water_cooled_firmwareflex_system_x880_x6system_x3550_m4system_x3850_x6system_x3650_m4_bd_firmwaresystem_x3950_x6system_x3650_m4_bdbladecenter_hs23_firmwaresystem_x3750_m4system_x3550_m4_firmwareflex_system_x480_x6_firmwareidataplex_dx360_m4_flex_system_x222_m4system_x3950_x6_firmwaresystem_x3250_m4_firmwareflex_system_x480_x6system_x3100_m5system_x3500_m4_firmwaresystem_x3300_m4_firmwaresystem_x3500_m4system_x3100_m4system_x3250_m5_firmwaresystem_x3530_m4flex_system_x440_m4system_x3650_m4flex_system_x240_m4flex_system_x280_x6_firmwareflex_system_x440_m4_firmwareSystem x UEFI
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-12903
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-7.8||HIGH
EPSS-0.03% / 6.07%
||
7 Day CHG~0.00%
Published-23 Dec, 2024 | 12:41
Updated-24 Dec, 2024 | 01:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect default permissions in Biamp Evoko Home

Incorrect default permissions vulnerability in Evoko Home, affecting version 2.4.2 to 2.7.4. A non-admin user could exploit weak file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).

Action-Not Available
Vendor-Biamp
Product-Evoko Home Service
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-22817
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-7.8||HIGH
EPSS-0.04% / 10.81%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-276: Incorrect Default Permissions vulnerability exists that could cause unauthorized access to the base installation directory leading to local privilege escalation. Affected Product: Harmony/Magelis iPC Series (All Versions), Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), Vijeo Designer Basic (All Versions prior to V1.2.1)

Action-Not Available
Vendor-n/a
Product-hmibmuhi29d2801_firmwarehmibmphi74d4801_firmwarehmibmp0i74di00a_firmwarehmibmp0i74d2001hmibmuhi29d4801hmibmu0i29d4001hmibmusi29d4801_firmwarehmibmiea5dd1001hmibmuci29d2w01_firmwarehmibmp0i74d4001hmibmiea5dd100ahmibmu0i29d2001_firmwarehmibmphi74d4801hmibmu0i29de00a_firmwarehmibmo0a5ddf101_firmwarehmibmoma5ddf10l_firmwarehmibmoma5dd1e01hmibmu0i29d200a_firmwarehmibmp0i74d400ahmibmiea5dd1e01_firmwarehmibscea53d1l01_firmwarevijeo_designerhmibmp0i74d2001_firmwarehmibmu0i29di00a_firmwarehmibmoma5dd1e01_firmwarehmibmuci29d2w01hmibmu0i29di00ahmibmp0i74di00ahmibmuci29d4w01_firmwarehmibscea53d1l01hmibmu0i29de00ahmibmiea5dd100a_firmwarehmibscea53d1l0ahmibmu0i29d200ahmibscea53d1l0a_firmwarehmibmu0i29d400a_firmwarehmibmpsi74d4801_firmwarehmibmo0a5ddf10ahmibmpsi74d4801hmibmo0a5dd1001hmibmphi74d2801_firmwarehmibmp0i74de00a_firmwarehmibmp0i74de00ahmibmusi29d2801hmibmu0i29d2001hmibmo0a5ddf10a_firmwarehmibmuhi29d4801_firmwarehmibmiea5dd1e01hmibmusi29d4801hmibmusi29d2801_firmwarehmibmiea5dd1001_firmwarehmibmpsi74d2801hmibmiea5dd1101_firmwarehmibmuci29d4w01hmibmiea5dd1101hmibmp0i74d200ahmibmiea5dd110lhmibmp0i74d4001_firmwarehmibscea53d1l0t_firmwarehmibmp0i74d200a_firmwarehmibmoma5ddf10lhmibmu0i29d4001_firmwarehmibmphi74d2801hmibmoma5dd1101_firmwarehmibmo0a5dd1001_firmwarehmibscea53d1l0thmibmo0a5ddf101hmibmiea5dd110l_firmwarehmibmp0i74d400a_firmwarehmibmoma5dd1101hmibmu0i29d400ahmibmpsi74d2801_firmwarehmibmuhi29d2801Harmony/Magelis iPC Series (All Versions), Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), Vijeo Designer Basic (All Versions prior to V1.2.1)
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-13206
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-8.5||HIGH
EPSS-0.03% / 5.30%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 03:00
Updated-09 Jan, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
REVE Antivirus reveinstall default permission

A vulnerability classified as critical has been found in REVE Antivirus 1.0.0.0 on Linux. This affects an unknown part of the file /usr/local/reveantivirus/tmp/reveinstall. The manipulation leads to incorrect default permissions. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-REVE
Product-Antivirus
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-19592
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.71% / 71.36%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 15:04
Updated-05 Aug, 2024 | 11:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.

Action-Not Available
Vendor-corsairn/a
Product-h80i_v2linkrmilighting_node_proh100i_gtxcommander_prormh110i_gtxx99h110ih100i_v2h80i_gth110i_gthxih80ih100iaxih115icommander_minin/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-21910
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.04% / 10.01%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)Microsoft Corporation
Product-windowsr-seenetAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-1155
Matching Score-4
Assigner-National Instruments
ShareView Details
Matching Score-4
Assigner-National Instruments
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.82%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 14:34
Updated-12 Feb, 2025 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect permissions for shared NI SystemLink Elixir based services

Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-emersonNI
Product-specification_compliance_managerflexloggersystemlink_serverlabview_nxgg_web_development_softwarestatic_test_software_suitedata_record_adsts_software_bundleSystemLink ServerFlexLogger
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-11624
Matching Score-4
Assigner-Google Devices
ShareView Details
Matching Score-4
Assigner-Google Devices
CVSS Score-7.8||HIGH
EPSS-0.01% / 0.58%
||
7 Day CHG~0.00%
Published-03 Jan, 2025 | 03:28
Updated-03 Jan, 2025 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-33912
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.03% / 6.62%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 06:47
Updated-03 Aug, 2024 | 08:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.

Action-Not Available
Vendor-n/atribe29 GmbHCheckmk GmbH
Product-checkmkn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-11468
Matching Score-4
Assigner-de5a6978-88fe-4c27-a7df-d0d5b52d5b52
ShareView Details
Matching Score-4
Assigner-de5a6978-88fe-4c27-a7df-d0d5b52d5b52
CVSS Score-7.8||HIGH
EPSS-0.02% / 4.21%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 22:17
Updated-05 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Omnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a flaw in the installation process. Successful exploitation of this issue may allow attackers with user privileges to escalate their privileges to root on the system where the Horizon Client for macOS is installed.

Action-Not Available
Vendor-Omnissa
Product-Omnissa Horizon Client for MacOS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-21911
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.04% / 10.01%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)Microsoft Corporation
Product-windowsr-seenetAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-269
Improper Privilege Management
CVE-2022-33922
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7||HIGH
EPSS-0.11% / 30.17%
||
7 Day CHG~0.00%
Published-12 Oct, 2022 | 19:25
Updated-15 May, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell GeoDrive, versions prior to 2.2, contains Insecure File and Folder Permissions vulnerabilities. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context. Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.
Product-geodriveGeoDrive
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-10251
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.05% / 16.67%
||
7 Day CHG~0.00%
Published-11 Dec, 2024 | 16:40
Updated-20 Dec, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.

Action-Not Available
Vendor-Ivanti Software
Product-security_controlsSecurity Controls
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-21912
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.66%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)Microsoft Corporation
Product-windowsr-seenetAdvantech
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-33963
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.07% / 22.16%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 13:17
Updated-24 Jan, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in the software installer for Intel(R) Unite(R) Client software for Windows before version 4.2.34870 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-unitesoftware installer for Intel(R) Unite(R) Client software for Windows
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-20532
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.4||HIGH
EPSS-0.02% / 4.36%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 16:30
Updated-16 Sep, 2024 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Client 8.1.0.0 through 8.1.11.0 could allow a local user to escalate their privileges to take full control of the system due to insecure directory permissions. IBM X-Force ID: 198811.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-spectrum_protect_backup-archive_clientwindowsspectrum_protect_for_virtual_environmentsSpectrum Protect for Virtual Environments
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-5896
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.8||HIGH
EPSS-0.06% / 19.54%
||
7 Day CHG~0.00%
Published-12 May, 2020 | 15:24
Updated-04 Aug, 2024 | 08:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_access_policy_managerbig-ip_access_policy_manager_clientF5 Edge Client
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-5623
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-7||HIGH
EPSS-0.06% / 17.83%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 16:25
Updated-09 Sep, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation

NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location

Action-Not Available
Vendor-Tenable, Inc.
Product-nessus_network_monitorNessus Network Monitornessus_network_monitor
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-11597
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.05% / 16.67%
||
7 Day CHG~0.00%
Published-11 Dec, 2024 | 16:49
Updated-23 Jan, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.

Action-Not Available
Vendor-Ivanti Software
Product-performance_managerPerformance Manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-9431
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.02% / 4.69%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 21:39
Updated-18 Dec, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In OSUInfo of OSUInfo.java, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2018-9432
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 0.30%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 21:26
Updated-22 Nov, 2024 | 21:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In createPhonebookDialogView and createMapDialogView of BluetoothPermissionActivity.java, there is a possible permissions bypass. This could lead to local escalation of privilege due to hiding and bypassing the user's ability to disable access to contacts, with no additional execution privileges needed. User interaction is needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-11598
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.05% / 16.67%
||
7 Day CHG~0.00%
Published-11 Dec, 2024 | 16:50
Updated-23 Jan, 2025 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.

Action-Not Available
Vendor-Ivanti Software
Product-application_controlApplication Control
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-33182
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-7.8||HIGH
EPSS-0.03% / 7.77%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, could allow a local authenticated user to escalate its privilege to root using switch commands “supportlink”, “firmwaredownload”, “portcfgupload, license, and “fosexec”.

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-fabric_operating_systemBrocade Fabric OS
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-3263
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.8||HIGH
EPSS-0.04% / 11.11%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 18:30
Updated-16 Apr, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Measuresoft ScadaPro Server Improper Access Control

The security descriptor of Measuresoft ScadaPro Server version 6.7 has inconsistent permissions, which could allow a local user with limited privileges to modify the service binary path and start malicious commands with SYSTEM privileges.

Action-Not Available
Vendor-measuresoftMeasuresoft
Product-scadapro_serverScadaPro Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-20037
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.8||HIGH
EPSS-0.03% / 6.01%
||
7 Day CHG~0.00%
Published-21 Sep, 2021 | 08:50
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SonicWall Global VPN Client 4.10.5 installer (32-bit and 64-bit) incorrect default file permission vulnerability leads to privilege escalation which potentially allows command execution in the host operating system. This vulnerability impacts GVC 4.10.5 installer and earlier.

Action-Not Available
Vendor-SonicWall Inc.
Product-global_vpn_clientSonicWall Global VPN Client
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-8672
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.41%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 12:21
Updated-22 Aug, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCC Bypass via Inherited Permissions in Bundled Interpreter in GIMP.app

MacOS version of GIMP bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of GIMP, potentially disguising attacker's malicious intent. This issue has been fixed in 3.1.4.2 version of GIMP.

Action-Not Available
Vendor-Apple Inc.GIMP
Product-macosgimpGIMP
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-31500
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.12% / 32.16%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 13:03
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.

Action-Not Available
Vendor-knimen/a
Product-knime_analytics_platformn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-1000
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 16:02
Updated-03 Aug, 2024 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In createBluetoothDeviceSlice of ConnectedDevicesSliceProvider.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-185190688

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-31244
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.06% / 18.62%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-03 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation.

Action-Not Available
Vendor-n/aNokia Corporation
Product-one-network_directory_servern/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-1033
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 16:02
Updated-03 Aug, 2024 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In createGeneralSlice of ConnectedDevicesSliceProvider.java.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-185247656

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-30338
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-6.7||MEDIUM
EPSS-0.05% / 15.85%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 13:16
Updated-27 Jan, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect default permissions in the Intel(R) VROC software before version 7.7.6.1003 may allow an authenticated user to potentially enable escalation of privilege via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-virtual_raid_on_cpuIntel(R) VROC software
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2021-0486
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.19%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 13:43
Updated-03 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onPackageAddedInternal of PermissionManagerService.java, there is possible access to external storage due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-171430330

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-276
Incorrect Default Permissions
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 8
  • 9
  • Next
Details not found