Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated low-priv WAC user (PR:L) with required operator interaction (UI:R); command injection on the gateway pivots to managed hosts, so S:C with full C/I/A impact.
Primary rating from Vendor (lenovo).
CVSS VectorVendor: lenovo
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Lenovo XClarity Integrator for Windows Admin Center plugin version 5.1.1 and below running on the WAC Gateway is vulnerable to Powershell Command Injection when establishing remote PowerShell commands.
AnalysisAI
PowerShell command injection in Lenovo XClarity Integrator for Microsoft Windows Admin Center (versions 5.1.1 and below) running on the WAC Gateway allows an authenticated low-privileged attacker to inject arbitrary PowerShell commands when the plugin establishes remote PowerShell sessions. Successful exploitation yields high-impact code execution that extends beyond the plugin into subsequent systems (managed hosts), with full confidentiality, integrity, and availability compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privilege account on the Windows Admin Center Gateway (PR:L) plus active operator/user interaction with the plugin (UI:A), and a specific attack requirement/precondition must hold (AT:P) - most plausibly that the XClarity Integrator plugin is installed and a remote PowerShell command flow is being established, which is the exact functionality the description names ('when establishing remote PowerShell commands'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.8 (High), with vector AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H and high subsequent-system impact (SC:H/SI:H/SA:H), indicating network reach and severe impact but tempered by three real barriers: PR:L (the attacker must already hold a low-privilege WAC account), UI:A (an active user/operator interaction is required), and AT:P (a specific attack requirement/precondition must be met). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated user of the Windows Admin Center console supplies crafted input to a Lenovo XClarity Integrator function that builds a remote PowerShell command; when an operator interacts with the affected plugin workflow, the injected payload breaks out of the intended command and executes attacker-chosen PowerShell on the WAC Gateway and reachable managed nodes. No public POC is referenced, and exploitation requires the AT:P precondition and operator interaction to be met. |
| Remediation | Upgrade the Lenovo XClarity Integrator for Microsoft Windows Admin Center plugin to a fixed release above 5.1.1 as published on the Lenovo Product Security advisory (https://pcsupport.lenovo.com/us/en/product_security/home); an exact fixed version number was not included in the provided data and should be confirmed directly from Lenovo's advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Windows Admin Center deployments for XClarity Integrator v5.1.1 and below; restrict plugin access to essential administrators only; enable detailed PowerShell logging on WAC Gateways and managed hosts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44978
GHSA-mh4x-4mfg-2vp2