Skip to main content

Lenovo

Vendor security scorecard – 299 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 794
299
CVEs
12
Critical
135
High
0
KEV
15
PoC
111
Unpatched C/H
25.1%
Patch Rate
1.1%
Avg EPSS

Severity Breakdown

CRITICAL
12
HIGH
135
MEDIUM
145
LOW
6

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2012-1195 Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.5%. HIGH 7.5 86.5% 159
PoC No patch
CVE-2012-1196 Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.4%. MEDIUM 5.0 77.4% 137
PoC No patch
CVE-2015-2219 Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 29.6%. HIGH 7.2 29.6% 101
PoC No patch
CVE-2018-14066 The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 0.4% 69
PoC No patch
CVE-2026-58583 Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. Publicly available exploit code exists; there is no public exploit identified as actively exploited (not in CISA KEV), though the vulnerability was reported by CISA (cisa-cg). HIGH 8.4 0.1% 62
PoC
CVE-2017-7293 The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.8 2.1% 61
PoC No patch
CVE-2015-6971 Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.8 0.1% 59
PoC No patch
CVE-2015-8110 Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.8 0.1% 59
PoC No patch
CVE-2021-3633 A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.8 0.3% 59
PoC No patch
CVE-2022-0354 A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.3 0.1% 57
PoC No patch
CVE-2015-8109 Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available. HIGH 7.0 0.0% 55
PoC No patch
CVE-2017-3761 The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host. CRITICAL 9.8 4.5% 54
CVE-2020-8353 Prior to August 10, 2020, some Lenovo Desktop and Workstation systems were shipped with the Embedded Host Based Configuration (EHBC) feature of Intel AMT enabled. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. MEDIUM 6.7 0.5% 54
PoC No patch
CVE-2013-1361 Untrusted search path vulnerability in Lenovo Thinkpad Bluetooth with Enhanced Data Rate Software 6.4.0.2900 and earlier allows local users, and possibly remote attackers, to execute arbitrary code. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available. CRITICAL 9.3 5.4% 52
No patch
CVE-2017-3758 Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. CRITICAL 9.8 2.4% 51

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy