CVE-2025-13453 Lenovo CVE debrief

Who should care

Organizations using Lenovo ThinkPlus FU100, FU200, TU800, or TSD303 Gen1 USB drives for data storage, particularly in environments where physical device security cannot be guaranteed

Technical summary

The vulnerability exists in the firmware of specific Lenovo ThinkPlus USB drive models. An attacker with physical access to the device can read stored data due to missing encryption of sensitive data (CWE-311). The attack requires no privileges or user interaction and has low attack complexity, but is constrained by the physical access vector. Confidentiality impact is high; integrity and availability impacts are none.

Defensive priority

medium

Recommended defensive actions

• Review Lenovo vendor advisory for affected ThinkPlus USB drive models and any available firmware updates
• Inventory deployed ThinkPlus FU100, FU200, TU800, and TSD303 Gen1 USB drives
• Apply vendor-provided firmware updates if available; replace devices if no patch is offered
• Implement physical security controls to restrict unauthorized access to sensitive USB storage devices
• Encrypt sensitive data at the application or file level before storing on affected USB drives
• Monitor for unauthorized physical access to environments where these devices are used

Evidence notes

CPE data confirms affected firmware runs on ThinkPlus FU100, FU200, TU800, and TSD303 Gen1 hardware. The weakness is mapped to CWE-311 (Missing Encryption of Sensitive Data).

Official resources