Skip to main content

Lenovo Personal Cloud Storage EUVDEUVD-2026-30040

| CVE-2026-6281 HIGH
OS Command Injection (CWE-78)
2026-05-13 lenovo GHSA-q5wc-3rhr-ppvw
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 13, 2026 - 16:33 EUVD
Analysis Updated
May 13, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
May 13, 2026 - 16:00 vuln.today
CVE Published
May 13, 2026 - 14:15 nvd
HIGH 8.8

DescriptionCVE.org

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.

AnalysisAI

Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches.

Technical ContextAI

This vulnerability stems from CWE-78 (OS Command Injection), where user-supplied input is improperly sanitized before being passed to system shell commands. The affected Lenovo Personal Cloud Storage devices run embedded Linux-based firmware that likely exposes administrative or API interfaces to authenticated users. CPE data identifies ten distinct product lines affected: Personal Cloud T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20. These are network-attached storage (NAS) appliances designed for home and small business use, typically exposing web management interfaces and file-sharing protocols (SMB/CIFS, NFS, WebDAV). The command injection likely occurs in a web application component that processes user input without proper escaping, allowing shell metacharacters to break out of intended command contexts and execute attacker-controlled code with the privileges of the web service process, potentially root or an equivalently privileged system account.

RemediationAI

Check Lenovo's official advisories at https://iknow.lenovo.com.cn/detail/440274 for firmware updates specific to your device model. For Personal Cloud T1 devices, note the EOL announcement at https://pc.lenovo.com.cn/tips/Ann/t1_eol.html - these devices may not receive patches and should be decommissioned or isolated. For models still receiving support, apply the latest firmware as soon as available and verify the update through the device management interface. Compensating controls for unpatched or EOL devices: (1) Isolate devices on dedicated VLAN with strict firewall rules preventing internet access and limiting access to only required clients; (2) Disable remote access features and remove any port forwarding rules; (3) Implement strong authentication (change all default credentials, enforce complex passwords, enable multi-factor authentication if supported); (4) Monitor device logs for suspicious command execution attempts or unexpected administrative actions; (5) Consider replacing EOL devices with currently-supported NAS solutions. Network segmentation is critical - these devices should NEVER be directly internet-accessible. Note that disabling all network access defeats the device's purpose, so risk acceptance or device replacement may be the only viable long-term options for EOL models.

More in Lenovo

View all
CVE-2012-1195 HIGH POC
7.5 Feb 18

Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup

CVE-2012-1196 MEDIUM POC
5.0 Feb 18

Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen

CVE-2015-2219 HIGH POC
7.2 May 12

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo

CVE-2018-14066 CRITICAL POC
9.8 Jul 15

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone

CVE-2026-58583 HIGH POC
8.4 Jul 07

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve

CVE-2017-7293 HIGH POC
7.8 Apr 26

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to

CVE-2015-6971 HIGH POC
7.8 Oct 03

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the

CVE-2015-8110 HIGH POC
7.8 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav

CVE-2021-3633 HIGH POC
7.8 Aug 17

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow

CVE-2022-0354 HIGH POC
7.3 Apr 22

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab

CVE-2015-8109 HIGH POC
7.0 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak

CVE-2017-3761 CRITICAL
9.8 Oct 17

The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i

Share

EUVD-2026-30040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy