CVE-2025-8557

11.09.2025, 19:15

An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability:

An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
lenovo	CNA	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-420 - Unprotected Alternate Channel
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

Vulnerability Media Exposure

[GERMAN] Lenovo XClarity Orchestrator: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Ein lokaler Angreifer kann eine Schwachstelle in Lenovo XClarity Orchestrator ausnutzen, um Sicherheitsvorkehrungen zu umgehen und so Zugriff auf interne Funktionen oder Daten zu erhalten.
Published: 2025-09-09T22:00:00+00:00

References

https://support.lenovo.com/us/en/product_security/LEN-201014