CVE-2021-3849

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

Published: Apr 22, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-3849
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
lenovo / nextscale_n1200_enclosure_firmware	-	fhet50b-2.90
lenovo / thinkagile_hx_enclosure_certified_node_firmware	-	tesm28b-1.21
lenovo / thinkagile_vx_enclosure_firmware	-	tesm28b-1.21
lenovo / thinksystem_d2_enclosure_firmware	-	tesm28b-1.21
ibm / nextscale_fan_power_controller_firmware	-	44a-3.70

https://support.lenovo.com/us/en/product_security/LEN-72615

Vulnerability Database

289,871

CVE-2021-3849