Cyber Resilience

CVE-2023-25495

Medium

Published: 28 April 2023

Published
28 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0028 52.1th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25495 is a medium-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Lenovo Thinkagile Hx7530 Firmware. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 47.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password…

more

is configured

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lenovo
thinkagile hx5530 firmware
≤ 2.93_afbt30p
lenovo
thinkagile hx7530 firmware
≤ 2.93_afbt30p · ≤ 2.93_afbt30p
lenovo
thinkagile vx3331 firmware
≤ 2.93_afbt30p
lenovo
thinkagile hx enclosure firmware
≤ 3.72_tei388s
lenovo
thinkagile hx1021 firmware
≤ 3.72_tei388s
lenovo
thinkagile hx1320 firmware
≤ 8.88_cdi3a4a
lenovo
thinkagile hx1321 firmware
≤ 8.88_cdi3a4a
lenovo
thinkagile hx1331 firmware
≤ 2.93_afbt30p
lenovo
thinkagile hx1520-r firmware
≤ 8.88_cdi3a4a
lenovo
thinkagile hx1521-r firmware
≤ 8.88_cdi3a4a
+99 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-522

Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.

addresses: CWE-522

Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.

addresses: CWE-522

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-522

Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.

References