Description
An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application.
Published: 2026-03-11
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

An improper certificate validation vulnerability exists in Lenovo FileZ applications that permits an entity capable of intercepting network traffic to read sensitive user data transmitted by the application. The weakness is identified as CWE‑295 (Improper Certificate Validation) and effectively allows the attacker to obtain confidential information such as authentication credentials, session tokens, or other private data stored or sent within the application. This could lead to data compromise for the affected user(s).

Affected Systems

The vulnerability affects Lenovo FileZ for both Android and Windows platforms. All installations prior to the patched releases are impacted. The vendor recommends updating the Android client to version 11.1.0.35 or newer and the Windows client to version 10.12.3.0 or newer.

Risk and Exploitability

The CVSS score of 6 indicates a medium severity risk. The EPSS score is below 1%, indicating a low probability of exploitation in the wild, and the issue is not listed in CISA’s KEV catalog. Exploitation would most likely involve a man‑in‑the‑middle (MITM) attack on the network path, requiring the attacker to intercept traffic between the device and the server. Successful exploitation would allow the intercepting user to view or extract sensitive data, compromising confidentiality for individual users.

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Remediation

Vendor Solution

Update Lenovo FileZ Android application to version 11.1.0.35 or later.

OpenCVE Recommended Actions

  • Update Lenovo FileZ Android to version 11.1.0.35 or newer.
  • Update Lenovo FileZ Windows to version 10.12.3.0 or newer.

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.filez.com/securityPolicy cve-icon cve-icon
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Improper Certificate Validation in Lenovo FileZ Allows Sensitive Data Interception

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application.
First Time appeared Lenovo
Lenovo filez
Weaknesses CWE-295
CPEs cpe:2.3:a:lenovo:filez:*:*:android:*:*:*:*:*
cpe:2.3:a:lenovo:filez:*:*:windows:*:*:*:*:*
Vendors & Products Lenovo
Lenovo filez
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Filez
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-03-12T16:19:12.229Z

Reserved: 2026-01-16T19:33:39.508Z

Link: CVE-2026-1068

cve-icon Vulnrichment

Updated: 2026-03-12T15:35:54.256Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:14.137

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-1068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:17Z

Weaknesses