CVE-2023-25495
high-risk
Published 2023-04-28
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured
Do I need to act?
-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Thinkagile Hx5530 Firmware
Thinkagile Hx7530 Firmware
Thinkagile Vx3331 Firmware
Thinkagile Hx Enclosure Firmware
Thinkagile Hx1021 Firmware
Thinkagile Hx1320 Firmware
Thinkagile Hx1321 Firmware
Thinkagile Hx1331 Firmware
Thinkagile Hx1520-R Firmware
Thinkagile Hx1521-R Firmware
Thinkagile Hx2320-E Firmware
Thinkagile Hx2321 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2331 Firmware
Thinkagile Hx2720-E Firmware
Thinkagile Hx3320 Firmware
Thinkagile Hx3321 Firmware
Thinkagile Hx3330 Firmware
Thinkagile Hx3331 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-99936
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-99936
52
/ 100
high-risk
Severity
20/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
31/34 · Critical