Permissions Vulnerability in Elliptic Labs Virtual Lock Sensor Affects Lenovo Devices
CVE-2025-0886

8.5HIGH

Key Information:

Vendor

Lenovo
Status
Elliptic Virtual Lock Sensor Service For Thinkpad P1 Gen 6 (type 21fv, 21fw)
Elliptic Human Presence Detection Driver For Thinkpad P1 Gen 7 (type 21kv, 21kw)
Elliptic Virtual Lock Sensor Service For P14s Gen 4 (type 21hf, 21hg)
Elliptic Human Presence Detection Device Driver For Thinkpad P14s Gen 4 (type 21k5, 21k6)
Vendor
CVE Published:
17 July 2025

What is CVE-2025-0886?

A permissions vulnerability in the Elliptic Labs Virtual Lock Sensor has been identified, allowing local authenticated users to potentially escalate privileges on affected Lenovo devices. This issue arises from improper enforcement of user permission settings, which could enable malicious actors to exploit the flaw for unauthorized access to sensitive operations. It is crucial for users and administrators to remain aware of this issue and implement necessary security measures to mitigate potential risks.

Affected Version(s)

Elliptic Human Presence Detection Device Driver for T14 Gen 4 (Type 21K3, 21K4) 0 < 1000.100.108.1893

Elliptic Human Presence Detection Device Driver for T14 Gen 5 (Type 21ML, 21MM) 0 < 1000.100.108.801

Elliptic Human Presence Detection Device Driver for T14s Gen 5 (Type 21LS, 21LT) 0 < 1000.100.108.801

References

https://support.lenovo.com/us/en/product_security/LEN-182738

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lenovo thanks Alexander Staalgaard, JN Data Red Team, for reporting this issue.
.
CVE-2025-0886 : Permissions Vulnerability in Elliptic Labs Virtual Lock Sensor Affects Lenovo Devices