CVE-2021-3972
high-risk
Published 2022-04-22
A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
Do I need to act?
~
3.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.7/10
Medium
LOCAL
/ LOW complexity
Affected Products (20)
Ideapad 3-14Ada05 Firmware
Ideapad 3-14Ada6 Firmware
Ideapad 3-14Alc6 Firmware
Ideapad 3-14Are05 Firmware
Ideapad 3-15Ada6 Firmware
Ideapad 3-15Alc6 Firmware
Ideapad 3-15Are05 Firmware
Ideapad 3-15Igl05 Firmware
Ideapad 3-17Ada05 Firmware
Ideapad 3-17Ada6 Firmware
Ideapad 3-17Alc6 Firmware
Ideapad 3-17Are05 Firmware
Ideapad 3-17Iil05 Firmware
Ideapad 3-17Itl6 Firmware
Ideapad 3-15Ada05 Firmware
L3 15Iml05 Firmware
L3-15Itl6 Firmware
L340-15Irh Firmware
L340-15Iwl Firmware
L340-15Iwl Touch Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-73440
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-73440
57
/ 100
high-risk
Severity
21/34 · High
Exploitability
6/34 · Minimal
Exposure
30/34 · Critical