Cyber Resilience

CVE-2024-12673

HighLPE

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12673 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Lenovo Vantage (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12673 is an improper privilege vulnerability (CWE-250) in the BIOS customization feature of Lenovo Vantage software, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects Lenovo Vantage installed only on specific SMB notebook devices: Lenovo V Series (Gen 5), ThinkBook 14 (Gen 6, 7), ThinkBook 16 (Gen 6, 7), and ThinkPad E Series (Gen 1).

A local attacker with low privileges can exploit this vulnerability through low-complexity means with no user interaction required. Successful exploitation enables privilege escalation on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

Lenovo's security advisory provides details on mitigation and patches: https://support.lenovo.com/us/en/product_security/LEN-183176.

EU & UK References

Vulnerability details

An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to elevate privileges on the system. This vulnerability only affects Vantage installed on these devices: *…

more

Lenovo V Series (Gen 5) * ThinkBook 14 (Gen 6, 7) * ThinkBook 16 (Gen 6, 7) * ThinkPad E Series (Gen 1)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of improper privilege handling in Lenovo Vantage BIOS customization feature.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58383Shared CWE-250
CVE-2025-22890Shared CWE-250
CVE-2025-57119Shared CWE-250
CVE-2024-21924Shared CWE-250
CVE-2024-49814Shared CWE-250
CVE-2026-0870Shared CWE-250
CVE-2026-1680Shared CWE-250
CVE-2025-40942Shared CWE-250
CVE-2024-48013Shared CWE-250
CVE-2026-3623Shared CWE-250

Affected Assets

Lenovo
Vantage
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the improper privilege flaw in Lenovo Vantage's BIOS customization feature to prevent local privilege escalation.

prevent

Enforces the principle of least privilege, ensuring the BIOS customization feature in Lenovo Vantage does not grant excessive privileges to local low-privilege attackers.

prevent

Mandates enforcement of access control policies to block unauthorized privilege elevations via the vulnerable BIOS customization feature in Lenovo Vantage.

References