Lenovo Security Advisory: LEN-23836
**Potential Impact:**Arbitrary Code Execution
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2018-9086
Summary Description:
Lenovo has become aware that in certain legacy Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.
Mitigation Strategy for Customers (what you should do to protect yourself):
Restrict Authorized Privileged Access to Trusted Administrators.
Customers should update their product to the version listed below, or later.