Lenovo Personal Cloud Storage Arbitrary Command Execution Vulnerability

A vulnerability exists in certain Lenovo Personal Cloud Storage devices, allowing remote authenticated users on the local network to execute arbitrary commands on the device. This issue affects Lenovo Personal Cloud Storage T2s, T2Pro, X1s, and the Lenovo Home Storage Hub T20 and X20, all through specific versions. The vulnerability arises from inadequate access controls, enabling unauthorized command execution by authenticated users.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the affected device, potentially allowing for arbitrary code execution, data manipulation, or unauthorized access to information stored on the device.

Remediation

Users can update their device firmware to the latest version. For T2s, T2Pro, X1s, T20, and X20 models, the latest firmware versions are available. For older models like the T1, A1, A1s, T2, and X1, which are no longer supported, it is recommended to enable 'LAN Secure Access' in the Lenovo Home Storage App to enhance device security.