Legacy Server BMC Remote Command Injection - Lenovo Support US

Lenovo Security Advisory: LEN-23836

**Potential Impact:**Arbitrary Code Execution

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2018-9086

Summary Description:

Lenovo has become aware that in certain legacy Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.

Mitigation Strategy for Customers (what you should do to protect yourself):

Restrict Authorized Privileged Access to Trusted Administrators.

Customers should update their product to the version listed below, or later.