CVE-2018-9082
high-risk
Published 2018-09-28
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
Do I need to act?
-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Storcenter Px12-450R Firmware
Storcenter Px12-400R Firmware
Storcenter Px4-300R Firmware
Storcenter Px6-300D Firmware
Storcenter Px4-300D Firmware
Storcenter Px2-300D Firmware
Storcenter Ix4-300D Firmware
Storcenter Ix2 Firmware
Storcenter Ix2-Dl Firmware
Ez Media \& Backup Center Firmware
Px12-450R Firmware
Px12-400R Firmware
Px4-400R Firmware
Px4-300R Firmware
Px6-300D Firmware
Px4-400D Firmware
Px4-300D Firmware
Px2-300D Firmware
Ix4-300D Firmware
Ix2 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24224
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24224
51
/ 100
high-risk
Severity
30/34 · Critical
Exploitability
1/34 · Minimal
Exposure
20/34 · Moderate