Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
AnalysisAI
Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches.
Technical ContextAI
This vulnerability stems from CWE-78 (OS Command Injection), where user-supplied input is improperly sanitized before being passed to system shell commands. The affected Lenovo Personal Cloud Storage devices run embedded Linux-based firmware that likely exposes administrative or API interfaces to authenticated users. CPE data identifies ten distinct product lines affected: Personal Cloud T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20. These are network-attached storage (NAS) appliances designed for home and small business use, typically exposing web management interfaces and file-sharing protocols (SMB/CIFS, NFS, WebDAV). The command injection likely occurs in a web application component that processes user input without proper escaping, allowing shell metacharacters to break out of intended command contexts and execute attacker-controlled code with the privileges of the web service process, potentially root or an equivalently privileged system account.
RemediationAI
Check Lenovo's official advisories at https://iknow.lenovo.com.cn/detail/440274 for firmware updates specific to your device model. For Personal Cloud T1 devices, note the EOL announcement at https://pc.lenovo.com.cn/tips/Ann/t1_eol.html - these devices may not receive patches and should be decommissioned or isolated. For models still receiving support, apply the latest firmware as soon as available and verify the update through the device management interface. Compensating controls for unpatched or EOL devices: (1) Isolate devices on dedicated VLAN with strict firewall rules preventing internet access and limiting access to only required clients; (2) Disable remote access features and remove any port forwarding rules; (3) Implement strong authentication (change all default credentials, enforce complex passwords, enable multi-factor authentication if supported); (4) Monitor device logs for suspicious command execution attempts or unexpected administrative actions; (5) Consider replacing EOL devices with currently-supported NAS solutions. Network segmentation is critical - these devices should NEVER be directly internet-accessible. Note that disabling all network access defeats the device's purpose, so risk acceptance or device replacement may be the only viable long-term options for EOL models.
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo
The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone
Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve
The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav
A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow
A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30040
GHSA-q5wc-3rhr-ppvw