EUVD-2025-210108
GHSA-p7jf-pwjp-h977
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
During an internal security assessment, a potential out-of-bounds write vulnerability was discovered in the BIOS of some ThinkPad products could allow a privileged local user to execute code in System Management Mode (SMM).
AnalysisAI
Local privilege escalation to System Management Mode (SMM) in Lenovo ThinkPad BIOS firmware allows a high-privileged local user to execute arbitrary code at one of the most privileged execution rings on x86 hardware. The flaw, an out-of-bounds write (CWE-787) discovered by Lenovo during an internal security assessment, affects a wide range of current-generation ThinkPad models including X1 Carbon 13th Gen, X13 Gen 6, T14s Gen 6, P14s/P16v Gen 3, L13/L14/L16 Gen 6, and E16 Gen 3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability resides in the UEFI/BIOS firmware shipped on the listed ThinkPad platforms. SMM is the highest-privilege x86 execution mode (sometimes called 'ring -2'), running below the OS and hypervisor with full access to physical memory, SPI flash, and platform hardware. An out-of-bounds write (CWE-787) inside an SMI handler typically means an attacker-controlled pointer or length lets code reach SMRAM or adjacent SMM data, corrupting structures used after the SMI entry. Successful exploitation effectively bypasses Secure Boot, BitLocker key protection assumptions, and hypervisor isolation because SMM code executes outside the OS trust boundary.
RemediationAI
Patch available per vendor advisory: install the BIOS/UEFI firmware update published by Lenovo for the affected model from https://support.lenovo.com/us/en/product_security/LEN-218282, using Lenovo System Update, Lenovo Vantage, or the model-specific BIOS package; the exact fixed firmware revision is per-model and should be read from that advisory. As compensating controls until firmware is deployed, restrict and audit local administrator accounts (since PR:H is required), enable BIOS administrator password and Secure Boot to raise the bar on firmware modification, enforce measured boot/DRTM where supported and monitor TPM PCR values for SMM-related changes, and use endpoint controls to reduce the chance of an attacker reaching local administrator on the host. Note that firmware updates can require AC power, may reset BIOS settings, and on some platforms BitLocker may prompt for recovery - plan accordingly.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today