The three vulnerabilities found could be exploited to install malware onto machines, as the company is being accused of allowing a massive security risk.
Uncovered by IOActive security, the vulnerability affects those on a 126.96.36.199 system update, or earlier. All ThinkPad, ThinkCentre, ThinkStation and Lenovo V/B/K/E series were vulnerable to the issues.
Lenovo has since acknowledged the findings and urged users to download a patch in order to update the systems. This patch was released in April after the vulnerabilities were discovered in February. The findings have only been made public this week.
One of the flaws discovered would allow “Local and potentially remote attackers [to] bypass signature validation checks and replace trusted Lenovo applications with malicious applications. The System Update downloads executables from the Internet and runs them.”
The other two vulnerabilities discovered would enable hackers to access a higher level of control over a system, including one that allows local and unprivileged users to run administrative commands.
Lenovo released a statement, stating: “Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.”