EUVD-2025-210107
GHSA-9h3m-vgr9-8wvv
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could allow a privileged local user to perform arbitrary reads or writes to privileged memory regions.
AnalysisAI
Arbitrary privileged memory read/write in Lenovo ThinkPad embedded controller (EC) firmware allows a local administrator on affected ThinkPad models (X13 Gen 6, X1 Carbon 13th Gen, P16v Gen 3, L16 Gen 1/2, T14s Gen 6, P14s Gen 6, L13 Gen 6, L14 Gen 6) to access or modify protected memory regions. Discovered during Lenovo's internal security assessment, the issue is rated CVSS 4.0 8.4 (High) and there is no public exploit identified at time of analysis, with no CISA KEV listing. Despite the high score, exploitation requires high privileges and local access, narrowing realistic abuse to attackers who already have admin on the host or to supply-chain/insider scenarios.
Technical ContextAI
The vulnerability resides in the embedded controller (EC) firmware shipped as part of the ThinkPad BIOS package. The EC is a dedicated microcontroller below the OS that handles power management, thermals, keyboard, battery, and platform security signaling, and it owns memory regions that the host OS is not supposed to touch. CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) is the assigned weakness class, suggesting that an authorization or integrity check guarding privileged EC memory operations relies on weak or improperly used cryptography, letting a privileged caller bypass the intended boundary and issue arbitrary reads or writes against protected regions. Because the EC sits below the OS trust boundary, compromise can affect firmware integrity in ways that survive OS reinstalls.
RemediationAI
Apply the BIOS/EC firmware update published by Lenovo for your specific ThinkPad model and machine type as listed in advisory LEN-218282 (https://support.lenovo.com/us/en/product_security/LEN-218282); exact fixed versions per model are documented there and should be cross-checked against the machine type printed on the chassis before flashing. Until updates are deployed, treat local administrator privilege on these laptops as equivalent to firmware-level compromise: minimize the number of users with admin rights, enforce full-disk encryption with pre-boot authentication, enable Secure Boot and a BIOS supervisor password to slow tampering, and restrict physical access for travelers (the trade-off is added user friction and helpdesk overhead for password resets). Application control / driver allow-listing can raise the bar against the user-mode tooling typically used to drive EC SMBus commands, but it will not stop an actual admin who already has kernel access.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today