Volerion logoVolerion
Volerion logoVolerion

Lenovo Universal Device Client Improper Certificate Validation Vulnerability Allowing Information Disclosure

Vulnerability

A vulnerability in the Lenovo Universal Device Client (UDC) has been identified, stemming from improper certificate validation. This issue could enable a user who intercepts network traffic to access encrypted application metadata, which may include device information, geolocation, and telemetry data. Lenovo UDC is a service that connects clients to Lenovo cloud services and is preloaded on some Lenovo devices. It is also a component of Lenovo Device Intelligence, Lenovo Device Manager, and Lenovo ThinkSmart Manager.

Impact

Exploitation of this vulnerability could lead to unauthorized access to encrypted application metadata, including sensitive device information and telemetry data.

Remediation

Users should update Lenovo UDC to version 25.7.0.21 or newer. Lenovo UDC is updated automatically through Windows Update. For manual update instructions, visit the Lenovo Drivers & Software support site for your product.

Added: Oct 15, 2025, 5:20 PM
Updated: Oct 15, 2025, 5:20 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
4.0
remediation
7.7
relevance
0.7
threat
0.0
urgency
2.9
incentive
0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.