CVE-2024-12673
Published: 12 February 2025
Summary
CVE-2024-12673 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Lenovo Vantage (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-12673 is an improper privilege vulnerability (CWE-250) in the BIOS customization feature of Lenovo Vantage software, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects Lenovo Vantage installed only on specific SMB notebook devices: Lenovo V Series (Gen 5), ThinkBook 14 (Gen 6, 7), ThinkBook 16 (Gen 6, 7), and ThinkPad E Series (Gen 1).
A local attacker with low privileges can exploit this vulnerability through low-complexity means with no user interaction required. Successful exploitation enables privilege escalation on the affected system, resulting in high impacts to confidentiality, integrity, and availability.
Lenovo's security advisory provides details on mitigation and patches: https://support.lenovo.com/us/en/product_security/LEN-183176.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51047
Vulnerability details
An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to elevate privileges on the system. This vulnerability only affects Vantage installed on these devices: *…
more
Lenovo V Series (Gen 5) * ThinkBook 14 (Gen 6, 7) * ThinkBook 16 (Gen 6, 7) * ThinkPad E Series (Gen 1)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via exploitation of improper privilege handling in Lenovo Vantage BIOS customization feature.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the improper privilege flaw in Lenovo Vantage's BIOS customization feature to prevent local privilege escalation.
Enforces the principle of least privilege, ensuring the BIOS customization feature in Lenovo Vantage does not grant excessive privileges to local low-privilege attackers.
Mandates enforcement of access control policies to block unauthorized privilege elevations via the vulnerable BIOS customization feature in Lenovo Vantage.