CVE-2024-12673

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to elevate privileges on the system. This vulnerability only affects Vantage installed on these devices: * Lenovo V Series (Gen 5) * ThinkBook 14 (Gen 6, 7) * ThinkBook 16 (Gen 6, 7) * ThinkPad E Series (Gen 1)

Security Summary

CVE-2024-12673 is an improper privilege vulnerability (CWE-250) in the BIOS customization feature of Lenovo Vantage software, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects Lenovo Vantage installed only on specific SMB notebook devices: Lenovo V Series (Gen 5), ThinkBook 14 (Gen 6, 7), ThinkBook 16 (Gen 6, 7), and ThinkPad E Series (Gen 1).

A local attacker with low privileges can exploit this vulnerability through low-complexity means with no user interaction required. Successful exploitation enables privilege escalation on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

Lenovo's security advisory provides details on mitigation and patches: https://support.lenovo.com/us/en/product_security/LEN-183176.

Details

CWE(s): CWE-250

References

https://support.lenovo.com/us/en/product_security/LEN-183176
psirt@lenovo.com