Weak Default Password Vulnerability in Lenovo Personal Cloud Storage Devices
CVE-2021-42849

6.8MEDIUM

Key Information:

Vendor: Lenovo
Status: Personal Cloud Storage A1; Personal Cloud Storage T1; Personal Cloud Storage X1; Personal Cloud Storage T2
Vendor: CVE Published:; 18 May 2022

Summary

A vulnerability has been identified in certain Lenovo Personal Cloud Storage devices where a weak default password is set for the serial port. This security flaw may allow an attacker with physical access to the device to gain unauthorized access, potentially compromising the security of sensitive data stored on the device. Users are advised to change the default password to mitigate this risk and safeguard their personal information.

Affected Version(s)

Personal Cloud Storage A1 < 5.3.6.a1

Personal Cloud Storage T1 < 5.3.6.t1

Personal Cloud Storage T2 < 5.3.8.t2

References

https://iknow.lenovo.com.cn/detail/dc_200017.html

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 18, 2022
Vulnerability Reserved
Oct 22, 2021

Credit

Lenovo thanks Kais and KT of 360 Vulcan Team for reporting this issue.