CVE-2017-3753

high-risk
Published 2017-08-10

A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10 Medium
PHYSICAL / LOW complexity

Affected Products (20)

Ideacentre 300-20Ish Firmware
Ideacentre 300S-11Ish Firmware
Ideacentre 700 Firmware
H50-30G Firmware
M4500 Id Firmware
V320-15Iap Firmware
Thinkcentre E73S Firmware
Thinkcentre E93 Firmware
Thinkcentre M4500Q Firmware
Thinkcentre M610 Firmware
Thinkcentre M6500T\/S Firmware
Thinkcentre M6600T\/S Firmware
Thinkcentre M710T\/S Firmware
Thinkcentre M72E Firmware
Thinkcentre M73 Firmware
Thinkcentre M79 Firmware
Thinkcentre M8600T\/S Firmware
Thinkcentre M910Q Firmware
Thinkcentre M910X Firmware
Thinkcentre M92 Firmware

Affected Vendors

Lenovo

References (2)

Mitigation https://support.lenovo.com/us/en/product_security/LEN-14695
Mitigation https://support.lenovo.com/us/en/product_security/LEN-14695
53
/ 100
high-risk
Severity 22/34 · High
Exploitability 0/34 · Minimal
Exposure 31/34 · Critical