Description
An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Improper Certificate Validation
Action: Immediate Patch
AI Analysis

Impact

An improper certificate validation flaw (CWE-295) in the Lenovo FileZ application allows an attacker who can intercept network traffic to present a forged certificate that the app will accept. This defect enables arbitrary code execution on the device, compromising execution integrity and potentially granting full control of the system.

Affected Systems

Both the Android and Windows editions of Lenovo FileZ are vulnerable. Lenovo recommends updating the Android app to version 11.1.0.35 or later and the Windows app to version 10.12.3.0 or later. Administrators should verify the installed version and apply these updates promptly.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1 % suggests a low current probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a man‑in‑the‑middle or similar network interception scenario that permits the attacker to trigger the flaw without additional user interaction.

Generated by OpenCVE AI on March 17, 2026 at 17:32 UTC.

Remediation

Vendor Solution

Update Lenovo FileZ Android application to version 11.1.0.35 or later.

OpenCVE Recommended Actions

  • Update Lenovo FileZ Android application to version 11.1.0.35 or later
  • Update Lenovo FileZ Windows application to version 10.12.3.0 or later

Generated by OpenCVE AI on March 17, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.filez.com/securityPolicy cve-icon cve-icon
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Improper Certificate Validation in Lenovo FileZ Allows Arbitrary Code Execution

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.
First Time appeared Lenovo
Lenovo filez
Weaknesses CWE-295
CPEs cpe:2.3:a:lenovo:filez:*:*:android:*:*:*:*:*
cpe:2.3:a:lenovo:filez:*:*:windows:*:*:*:*:*
Vendors & Products Lenovo
Lenovo filez
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Filez
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-03-12T16:19:05.164Z

Reserved: 2026-02-11T20:29:58.887Z

Link: CVE-2026-2368

cve-icon Vulnrichment

Updated: 2026-03-12T15:37:57.035Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:15.473

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-2368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:16Z

Weaknesses