LenovoCVEs & Vulnerabilities

397 CVEs affecting Lenovo products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

active protection system 49thinkstation p360 workstation firmware 40thinkcentre neo 30a 27 gen 4 firmware 30thinkcentre m75t gen 2 firmware 30thinkcentre m625q 28thinkcentre m625q firmware 28ideacentre 5-14iob6 27ideacentre 5-14iob6 firmware 27
CVE-2022-3699KEVHIGHin the wild

A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges.

11 Apr 2026
7.8
CVSS
CVE-2025-8485HIGH

An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application.

12 Nov 2025
7.3
CVSS
CVE-2025-8486HIGH

A potential vulnerability was reported in PC Manager that could allow a local authenticated user to execute code with elevated privileges.

15 Oct 2025
7.8
CVSS
CVE-2025-10581HIGH

A potential DLL hijacking vulnerability was discovered in the Lenovo PC Manager during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges.

15 Oct 2025
7.8
CVSS
CVE-2025-8098HIGH

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

18 Aug 2025
7.8
CVSS
CVE-2025-6232HIGH

An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying specific registry locations.

17 Jul 2025
7.8
CVSS
CVE-2025-6231HIGH

An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying an application configuration file.

17 Jul 2025
7.8
CVSS
CVE-2025-6230MEDIUM

A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute limited SQLite commands.

17 Jul 2025
5.3
CVSS
CVE-2025-2503HIGH

An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.

30 May 2025
7.1
CVSS
CVE-2025-2502HIGH

An improper default permissions vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges.

30 May 2025
7.8
CVSS
CVE-2025-2501HIGH

An untrusted search path vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges.

30 May 2025
7.8
CVSS
CVE-2024-9046HIGH

A DLL hijack vulnerability was reported in Lenovo stARstudio that could allow a local attacker to execute code with elevated privileges.

11 Oct 2024
7.8
CVSS
CVE-2024-5474MEDIUM

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

11 Oct 2024
5.5
CVSS
CVE-2024-4132HIGH

A DLL hijack vulnerability was reported in Lenovo Lock Screen that could allow a local attacker to execute code with elevated privileges.

11 Oct 2024
7.8
CVSS
CVE-2024-4131HIGH

A DLL hijack vulnerability was reported in Lenovo Emulator that could allow a local attacker to execute code with elevated privileges.

11 Oct 2024
7.8
CVSS
CVE-2024-4130HIGH

A DLL hijack vulnerability was reported in Lenovo App Store that could allow a local attacker to execute code with elevated privileges.

11 Oct 2024
7.8
CVSS
CVE-2024-4089HIGH

A DLL hijack vulnerability was reported in Lenovo Super File that could allow a local attacker to execute code with elevated privileges.

11 Oct 2024
7.8
CVSS
CVE-2024-45104MEDIUM

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.

13 Sep 2024
6.5
CVSS
CVE-2024-45103MEDIUM

A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.

13 Sep 2024
4.3
CVSS
CVE-2023-1577HIGH

A path hijacking vulnerability was reported in Lenovo Driver Manager prior to version 3.1.1307.1308 that could allow a local user to execute code with elevated privileges.

1 Aug 2024
7.8
CVSS
CVE-2019-6198HIGH

A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges.

1 Aug 2024
7.8
CVSS
CVE-2019-6197HIGH

A vulnerability was reported in Lenovo PC Manager prior to version 2.8.90.11211 that could allow a local attacker to escalate privileges.

1 Aug 2024
7.8
CVSS
CVE-2017-3772MEDIUM

A vulnerability was reported in Lenovo PC Manager versions prior to 2.6.40.3154 that could allow an attacker to cause a system reboot.

1 Aug 2024
5.5
CVSS
CVE-2024-2659HIGH

A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function.

15 Apr 2024
7.2
CVSS
CVE-2024-23591LOW

ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting. The server’s NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem significantly mitigates this issue.

16 Feb 2024
2.3
CVSS
CVE-2023-6450MEDIUM

An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service.

19 Jan 2024
5.5
CVSS
CVE-2023-6044MEDIUM

A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges.

19 Jan 2024
6.8
CVSS
CVE-2023-6043HIGH

A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges.

19 Jan 2024
7.8
CVSS
CVE-2023-5081LOW

An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.

19 Jan 2024
3.3
CVSS
CVE-2023-5080HIGH

A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands.

19 Jan 2024
7.8
CVSS
CVE-2023-6540HIGH

A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information.

4 Jan 2024
7.5
CVSS
CVE-2023-6338HIGH

Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.

4 Jan 2024
7.8
CVSS
CVE-2023-45079MEDIUM

A memory leakage vulnerability was reported in the NvmramSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables.

9 Nov 2023
6.7
CVSS
CVE-2023-45078MEDIUM

A memory leakage vulnerability was reported in the DustFilterAlertSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables.

9 Nov 2023
6.7
CVSS
CVE-2023-45077MEDIUM

A memory leakage vulnerability was reported in the 534D0740 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.

9 Nov 2023
6.7
CVSS
CVE-2023-45076MEDIUM

A memory leakage vulnerability was reported in the 534D0140 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.

9 Nov 2023
6.7
CVSS
CVE-2023-45075MEDIUM

A memory leakage vulnerability was reported in the SWSMI_Shadow DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables.

9 Nov 2023
6.7
CVSS
CVE-2023-43581MEDIUM

A buffer overflow was reported in the Update_WMI module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43580MEDIUM

A buffer overflow was reported in the SmuV11DxeVMR module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43579MEDIUM

A buffer overflow was reported in the SmuV11Dxe driver in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43578MEDIUM

A buffer overflow was reported in the SmiFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43577MEDIUM

A buffer overflow was reported in the ReFlash module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43576MEDIUM

A buffer overflow was reported in the WMISwSmi module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43575MEDIUM

A buffer overflow was reported in the UltraFunctionTable module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43574MEDIUM

A buffer over-read was reported in the LEMALLDriversConnectedEventHook module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to disclose sensitive information.

9 Nov 2023
4.4
CVSS
CVE-2023-43573MEDIUM

A buffer overflow was reported in the LEMALLDriversConnectedEventHook module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
CVE-2023-43572MEDIUM

A buffer over-read was reported in the BiosExtensionLoader module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to disclose sensitive information.

9 Nov 2023
4.4
CVSS
CVE-2023-43571MEDIUM

A buffer overflow was reported in the BiosExtensionLoader module in some Lenovo Desktop products that may allow a local attacker with elevated privileges to execute arbitrary code.

9 Nov 2023
6.7
CVSS
← PrevPage 1 / 9Next →