Description
An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to delete arbitrary registry keys with elevated privileges.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

An input validation vulnerability was discovered in the DeviceSettingsSystemAddin component used by Lenovo Vantage and Lenovo Baiying. The flaw allows a local authenticated user to delete arbitrary registry keys with elevated privileges, which can result in privilege escalation or system disruption as malicious manipulation of registry entries can alter software behavior or cause denial of service. The weakness corresponds to CWE-88 (Incorrect Preservation of Object References).

Affected Systems

The vulnerability affects Lenovo Vantage and Lenovo Baiying products that utilize the DeviceSettingsSystemAddin module. Specific version details are not listed, but the known fix applies to all releases prior to DeviceSettingsSystemAddin version 1.0.8.15. Therefore, any deployments running older versions of the add‑in are potentially compromised.

Risk and Exploitability

The CVSS base score of 6.9 indicates medium to high severity, while the EPSS score of less than 1% suggests low current likelihood of exploitation. The flaw is limited to locally authenticated users and does not require remote access, and it is not listed in the CISA KEV catalog. Attackers would need local machine access to trigger the deletion of critical registry keys, posing a risk primarily to systems with privileged local users. Nevertheless, the potential for significant impact warrants prompt remediation.

Generated by OpenCVE AI on March 17, 2026 at 14:53 UTC.

Remediation

Vendor Solution

Update Vantage DeviceSettingsSystemAddin to version 1.0.8.15 or later. DeviceSettingsSystemAddin is automatically updated by Lenovo Vantage and Baiying.

OpenCVE Recommended Actions

  • Apply the Lenovo Vantage and Baiying update to DeviceSettingsSystemAddin version 1.0.8.15 or later.
  • Confirm that the update has been applied to the DeviceSettingsSystemAddin component.
  • Monitor the system for anomalous registry changes and review logs for unauthorized access attempts.

Generated by OpenCVE AI on March 17, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Input Validation in Lenovo Vantage & Baiying DeviceSettingsSystemAddin

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to delete arbitrary registry keys with elevated privileges.
First Time appeared Lenovo
Lenovo baiying
Lenovo vantage
Weaknesses CWE-88
CPEs cpe:2.3:a:lenovo:baiying:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:vantage:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo baiying
Lenovo vantage
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Baiying Vantage
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-03-12T16:18:30.536Z

Reserved: 2026-01-30T19:00:48.303Z

Link: CVE-2026-1716

cve-icon Vulnrichment

Updated: 2026-03-12T15:35:49.067Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:15.017

Modified: 2026-03-25T18:23:11.183

Link: CVE-2026-1716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:11Z

Weaknesses