Hidden Server Vulnerability Could Allow Local Attackers to Execute Arbitrary Code
CVE-2024-45105

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Hx5530 Appliance (thinkagile) BiOS; Hx645 V3 Integrated System (thinkagile) BiOS; Hx665 V3 Certified Node (thinkagile) BiOS; St250 V3 (thinksystem) BiOS
Vendor: CVE Published:; 13 September 2024

Summary

An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.

Affected Version(s)

HX1331 Certified Node (ThinkAgile) BIOS 0

HX2330 Appliance (ThinkAgile) BIOS 0

HX2331 Certified Node (ThinkAgile) BIOS 0

References

https://support.lenovo.com/us/en/product_security/LEN-165524

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 13, 2024
Vulnerability Reserved
Aug 21, 2024