What is CVE-2019-6171?

CVE-2019-6171 is a medium-severity vulnerability in Lenovo 20a7. CVSS score: 6.8/10. Published 2019-08-19.

How severe is CVE-2019-6171?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Is CVE-2019-6171 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Lenovo 20a7

CVE-2019-6171

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

EPSS: 0.003 (26.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Lenovo 20a7
Lenovo 20a7_firmware
Lenovo 20a8
Lenovo 20a8_firmware
Lenovo 20a9
Lenovo 20a9_firmware
Lenovo 20aa
Lenovo 20aa_firmware
Lenovo 20ab
Lenovo 20ab_firmware

Public proof-of-concept exploits

HeiderJeffer/Thinkpad-XX30-EC
hamishcoleman/thinkpad-ec

References

psirt@lenovo.com (x_refsource_MISC, Vendor Advisory)

Frequently asked questions

What is CVE-2019-6171?: CVE-2019-6171 is a medium-severity vulnerability in Lenovo 20a7. CVSS score: 6.8/10. Published 2019-08-19.
How severe is CVE-2019-6171?: Medium severity. CVSS v3 base score is 6.8 out of 10.
Is CVE-2019-6171 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.