CVE-2025-13154 PUBLISHED

Assigner: lenovo
Reserved: 13.11.2025 Published: 14.01.2026 Updated: 15.01.2026

An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges.

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 6.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Lenovo
Product	Vantage
Versions	Default: unaffected affected from 0 to 1.1.0.1111 (excl.)

Solutions

Update Vantage SmartPerformanceAddin to version 1.1.0.1111 or later.

SmartPerformanceAddin is automatically updated by Lenovo Vantage.

Credits

Lenovo thanks Alex Lee Tsz Hin @PwCHK and Manuel Kiesel (cyllective AG) / John Ostrowski (Compass Security) for reporting this issue. finder

References

https://support.lenovo.com/us/en/product_security/LEN-208293

Problem Types

CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE