CVE-2025-13154

An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-208293

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de seguimiento de enlace indebido fue reportada en el SmartPerformanceAddin para Lenovo Vantage que podría permitir a un usuario local autenticado realizar una eliminación arbitraria de archivos con privilegios elevados.

14 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-14 23:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-13154

Mitre link : CVE-2025-13154

CVE.ORG link : CVE-2025-13154

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2025-13154", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "psirt@lenovo.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-14T23:15:55.297", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-208293", "source": "psirt@lenovo.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges."}, {"lang": "es", "value": "Una vulnerabilidad de seguimiento de enlace indebido fue reportada en el SmartPerformanceAddin para Lenovo Vantage que podr\u00eda permitir a un usuario local autenticado realizar una eliminaci\u00f3n arbitraria de archivos con privilegios elevados."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "psirt@lenovo.com"}