CVE-2025-13454 Lenovo CVE debrief

Who should care

Organizations deploying Lenovo ThinkPlus FU100, FU200, TU800, or TSD303 devices; IT administrators managing ThinkPlus device configurations; security teams monitoring for local privilege escalation and information disclosure risks in endpoint device management software.

Technical summary

The vulnerability exists in ThinkPlus configuration software where a local authenticated user can gain access to sensitive device information. The CVSS 4.0 score of 6.8 (MEDIUM) reflects a local attack vector with low complexity and low privilege requirements, resulting in high confidentiality impact. Affected products include firmware for ThinkPlus FU100, FU200, TU800, and TSD303 models. The underlying weakness is categorized as CWE-319 (Cleartext Transmission of Sensitive Information) per the vendor's PSIRT submission.

Defensive priority

medium

Recommended defensive actions

• Review Lenovo vendor advisory for affected ThinkPlus device models and available firmware updates
• Restrict local access to systems running ThinkPlus configuration software to authorized administrators only
• Monitor for unauthorized access attempts to ThinkPlus configuration interfaces
• Apply firmware updates from Lenovo when available for FU100, FU200, TU800, and TSD303 devices
• Audit local user accounts with access to ThinkPlus configuration software and enforce principle of least privilege

Evidence notes

CVE description states 'local authenticated user' with access to 'sensitive device information.' NVD CPE data identifies affected firmware for ThinkPlus FU100, FU200, TU800, and TSD303 models. CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H confirms local attack, low complexity, low privileges, no user interaction, and high confidentiality impact. Weakness source [email protected] identifies CWE-319. NVD vulnStatus 'Analyzed' as of June 1, 2026 modification.

Official resources