Lenovo XClarity Orchestrator Unauthorized Access Vulnerability

A vulnerability in Lenovo XClarity Orchestrator (LXCO) has been identified, allowing an attacker with access to a local device on the LXCO network segment to create an alternate communication channel. This could enable direct interaction with backend LXCO API services that are usually inaccessible to users. Although access controls might restrict the extent of this interaction, it could lead to unauthorized access to internal functionality or data. This vulnerability cannot be exploited from remote networks.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal LXCO functionality or data.

Remediation

Users are advised to update to Lenovo XClarity Orchestrator version 2.2.0 or newer. For update instructions, visit the Lenovo Drivers & Software support site or refer to Lenovo's update management tools for PC Products and Software or Server and Enterprise Software.