CVE-2023-4856 — Vulnetix

CVE-2023-4856 PUBLISHED CVSS 8.800000190734863 HIGH

A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint.

EPSS 0.39% · 60.4th percentile

Risk Scores

CVSS 3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.39%

60.4th percentile

Affected Products

Vendor	Product	Versions
Lenovo	SMM, SMM2, FPC	*, various
lenovo	fan_power_controller	0, 0
lenovo	system_management_module_firmware	1.24, 1.24

Exploit Intelligence

https://support.lenovo.com/us/en/product_security/LEN-140420 (circl)

Timeline

Apr 15, 2024 CVE Published
Apr 16, 2024 EPSS Score
May 11, 2024 EPSS Score
Jun 6, 2024 EPSS Score
Jul 1, 2024 EPSS Score
Jul 26, 2024 EPSS Score
Aug 19, 2024 EPSS Score
Sep 13, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 8, 2024 EPSS Score
Nov 2, 2024 EPSS Score
Nov 27, 2024 EPSS Score

References

https://support.lenovo.com/us/en/product_security/LEN-140420 url
https://nvd.nist.gov/vuln/detail/CVE-2023-4856 advisory

Open in Interactive Console →