Description
A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote authenticated local network user may execute arbitrary commands on affected Lenovo Home Storage Hub and Personal Cloud devices, exposing the system to total compromise. The flaw is a command injection vulnerability, identified as CWE‑78, that allows malicious code to run with device privileges, potentially leaking data, modifying configuration, or disrupting availability.

Affected Systems

Affected devices include Lenovo Home Storage Hub T20 and X20, and a range of Personal Cloud models such as A1, A1s, T1, T2, T2Pro, T2s, X1, and X1s. Firmware versions are unspecified; any device running older firmware is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.7 signals high risk, while the EPSS score is currently unavailable, suggesting limited public exploitation data. The vulnerability is not listed in CISA KEV, but an adversary with local network access and authentication credentials could utilize the flaw. The attack requires compromise of a legitimate user account on the same network, emphasizing the need for segmentation and strong credential management.

Generated by OpenCVE AI on May 13, 2026 at 18:03 UTC.

Remediation

Vendor Solution

Update device firmware to the version indicated in the advisory: https://iknow.lenovo.com.cn/detail/440274

OpenCVE Recommended Actions

  • Apply the firmware update released by Lenovo, as specified in the advisory linked in the detailed article.
  • Configure network segmentation to isolate the device’s management interfaces from general local network traffic, limiting the reach of any compromised credentials.
  • Change default administrative passwords and enforce robust authentication policies to reduce the likelihood of credential reuse or brute force exploitation.

Generated by OpenCVE AI on May 13, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Remote Authenticated Command Injection Allowing Arbitrary Code Execution on Lenovo Personal Cloud Devices

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
First Time appeared Lenovo
Lenovo home Storage Hub T20
Lenovo home Storage Hub X20
Lenovo personal Cloud A1
Lenovo personal Cloud A1s
Lenovo personal Cloud T1
Lenovo personal Cloud T2
Lenovo personal Cloud T2pro
Lenovo personal Cloud T2s
Lenovo personal Cloud X1
Lenovo personal Cloud X1s
Weaknesses CWE-78
CPEs cpe:2.3:a:lenovo:home_storage_hub_t20:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:home_storage_hub_x20:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_a1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_a1s:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2pro:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2s:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_x1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_x1s:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo home Storage Hub T20
Lenovo home Storage Hub X20
Lenovo personal Cloud A1
Lenovo personal Cloud A1s
Lenovo personal Cloud T1
Lenovo personal Cloud T2
Lenovo personal Cloud T2pro
Lenovo personal Cloud T2s
Lenovo personal Cloud X1
Lenovo personal Cloud X1s
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Home Storage Hub T20 Home Storage Hub X20 Personal Cloud A1 Personal Cloud A1s Personal Cloud T1 Personal Cloud T2 Personal Cloud T2pro Personal Cloud T2s Personal Cloud X1 Personal Cloud X1s
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-05-13T18:26:58.040Z

Reserved: 2026-04-14T14:42:10.223Z

Link: CVE-2026-6281

cve-icon Vulnrichment

Updated: 2026-05-13T18:26:48.567Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:17:01.773

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-6281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:15:16Z

Weaknesses