API Command Execution Vulnerability in Lenovo's SMM and FPC Products
CVE-2023-2993

5.4MEDIUM

Key Information:

Vendor: Lenovo
Status: System Management Module (smm); Fan Power Controller (fpc)
Vendor: CVE Published:; 26 June 2023

Summary

An authenticated user with limited privileges may exploit a security flaw within Lenovo's SMM v1, SMM v2, and FPC products. By crafting malicious web management server API calls, the user can execute commands that they would typically be prevented from performing due to their restricted access level. This vulnerability underscores the importance of reviewing user permissions and securing API endpoints to prevent unauthorized command execution.

Affected Version(s)

Fan Power Controller (FPC) various

System Management Module (SMM) various

References

https://support.lenovo.com/us/en/product_security/LEN-127357

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 26, 2023
Vulnerability Reserved
May 30, 2023