CVE-2025-14058

Summary

A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.

Affected Software

VendorProductVersion RangeStatus
LenovoTab M11 TB330FU TB330XU0 < 17.0.284affected
LenovoTab K11 TB330FU0 < 17.0.284affected
LenovoTab K11 TB330FUP0 < 17.0.254affected
LenovoTab K11 TB330XU0 < 17.0.084affected
LenovoTab K11 TB330XUP0 < 17.0.254affected
LenovoIdea Tab Pro TB373FU0 < ZUI_17.0.04.266_ST_251120affected
LenovoTab K9 TB305FU0 < 17.0.10.118affected
LenovoTab K9 TB305XU0 < 17.0.10.098affected
LenovoTab Plus TB351FU0 < 17.5.10.023affected
LenovoTab M8 4th Gen 2024 TB301FU0 < TB301FU_USR_S000126_250919_MP1V1111_ROWaffected
LenovoTab M8 4th Gen 2024 TB301XU0 < TB301XU_USR_S000147_250919_MP1V1111_ROWaffected
LenovoTab Extreme TB570ZU TB570FU0 < 17.5.184affected
LenovoTab M10 5G TB360ZU0 < 16.0.882affected
LenovoTab M8 4th Gen TB300FU0 < TB300XU_USR_S100149_250919_MP1V1111_ROWaffected
LenovoTab M8 4th Gen TB300XU0 < TB300FU_USR_S100122_250919_MP1V1111_ROWaffected
LenovoTab M9 TB310FU0 < TB310XU_USR_S000913_2510021921_mp1V969_ROWaffected
LenovoTab M9 TB310XU0 < TB310FU_USR_S000912_2510022135_mp1V969_ROWaffected
LenovoTab P11 2nd Gen TB350XU0 < TB350FU_USER_S231044_2601050946affected
LenovoTab P11 2nd Gen TB350FU0 < TB350XU_USER_S231018_2601050930affected
LenovoTab P12 TB370FU0 < 17.0.267affected
LenovoTab P12 TB372FU0 < 17.0.267affected
LenovoTab K11 Plus LTE TB352FU0 < 17.0.10.250affected
LenovoTab K11 Plus LTE TB352XU0 < 17.0.10.242affected
LenovoYoga Tab Plus TB520FU0 < 17.5.10.036affected
LenovoTab K11 Gen 2 TB336ZU0 < 17.0.10.541affected
LenovoTAB70 < 17.0.10.541affected
LenovoLenovo Tab with Clear Case TB311FU0 < 17.0.30.303affected
LenovoLenovo Tab with Folio Case TB311XU0 < 17.0.31.259affected
LenovoLegion Tab TB321FU0 < 17.5.10.031affected
LenovoLegion Tab TB320FC0 < 17.0.339affected
LenovoIdea Tab TB336FU0 < 17.5.10.041affected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References