Skip to main content

Lenovo Accessories and Display Manager CVE-2026-9045

| EUVDEUVD-2026-36047 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-10 lenovo GHSA-j94f-hq72-qm3h
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 10, 2026 - 15:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 15:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Jun 10, 2026 - 15:18 vuln.today
CVE Published
Jun 10, 2026 - 14:09 nvd
HIGH 7.8

DescriptionNVD

During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.

AnalysisAI

Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.

Technical ContextAI

Lenovo Accessories and Display Manager for Enterprise is a Windows-based management utility distributed by Lenovo for enterprise endpoints to configure docks, monitors, and peripheral accessories. The underlying CWE-306 (Missing Authentication for Critical Function) indicates that a critical operation exposed by the application - likely an IPC endpoint, named pipe, COM interface, or privileged service routine - does not validate that the caller is authorized to invoke it. Because the product typically runs with elevated rights to manipulate device settings and drivers, a standard user process can reach this unauthenticated critical function and coerce it into performing actions (file writes, process spawning, driver loading) in the SYSTEM or administrator context, yielding arbitrary code execution. The CPE cpe:2.3:a:lenovo:accessories_and_display_manager_for_enterprise:*:*:*:*:*:*:*:* covers all versions, suggesting the affected version range is unbounded until the patched build identified in DS568567.

RemediationAI

Apply the patched version of Lenovo Accessories and Display Manager for Enterprise from Lenovo's download page at https://support.lenovo.com/us/en/downloads/ds568567, following the guidance in the security advisory at https://support.lenovo.com/us/en/product_security/LEN-213623 (Vendor-released patch: see DS568567 for the exact fix build). Push the update through your endpoint management platform (Intune, SCCM/MECM, Tanium, etc.) to all Lenovo Windows endpoints where the Enterprise variant is installed. If patching cannot be performed immediately, compensating controls include uninstalling the Accessories and Display Manager package on hosts where docks/peripherals aren't centrally managed (trade-off: users lose dock/monitor configuration UI and some firmware-update flows), restricting interactive logon on shared workstations to trusted users only via Group Policy User Rights Assignment (trade-off: operational impact on shared kiosks/lab machines), and monitoring for child processes of the Lenovo service running with elevated tokens that spawn cmd.exe/powershell.exe or write to system directories.

More in Lenovo

View all
CVE-2012-1195 HIGH POC
7.5 Feb 18

Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup

CVE-2012-1196 MEDIUM POC
5.0 Feb 18

Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen

CVE-2015-2219 HIGH POC
7.2 May 12

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo

CVE-2018-14066 CRITICAL POC
9.8 Jul 15

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone

CVE-2026-58583 HIGH POC
8.4 Jul 07

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve

CVE-2017-7293 HIGH POC
7.8 Apr 26

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to

CVE-2015-6971 HIGH POC
7.8 Oct 03

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the

CVE-2015-8110 HIGH POC
7.8 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav

CVE-2021-3633 HIGH POC
7.8 Aug 17

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow

CVE-2022-0354 HIGH POC
7.3 Apr 22

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab

CVE-2015-8109 HIGH POC
7.0 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak

CVE-2017-3761 CRITICAL
9.8 Oct 17

The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i

Share

CVE-2026-9045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy