CVE-2018-9069

Home/CVE/In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adeq

CVE

In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adeq

In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adequately protected against, potentially allowing an attacker with administrator access to alter the contents of BIOS.

MEDIUM · CVSS 5.9 EPSS 0.00211

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

▤

Affected Products & Versions

hp 310s-14isk firmware< 1.15
hp 320-15ikbra firmware< 6jcn24ww
hp 320-15ikbrn firmware< 6jcn24ww
hp 320-15ikbrn touch firmware< 6jcn24ww
hp 320-17ikbrn< 2.09
hp 320s-14ikb< 2.09
hp 320s-15ikb firmware< 2.09
hp 320s-15isk firmware< 2wcn38ww
Show all 60 affected productshp 510s-14isk firmware< 1.15
hp 520-15ikbrn firmware< 6jcn26ww
hp 520s-14ikb firmware< 2.09
hp 710s plus-13ikb 16g firmware< 2.55
hp 710s plus-3ikb firmware< 2.55
hp xiaoxinair13ikbpro firmware< 2.55
hp 710s plus touch-13ikb firmware< 2.55
hp 720s-13ikb firmware< 5scn38ww
hp b320-14ikb firmwareall versions
lenovo e42-80 firmware< 2wcn38ww
lenovo e52-80 firmware< 2wcn38ww
hp flex 4-1470 firmware< 1.15
hp flex 5-1470 firmware< 2.09
hp flex 5-1570 firmware< 2.09
hp ideapad 2in1 14 firmwareall versions
hp lenovo ideapad 320-14ikb\(i\+a\) firmwareall versions
hp lenovo ideapad 320-14ikb\(i\+n\) firmwareall versions
hp lenovo ideapad 320-15abr firmwareall versions
hp lenovo ideapad 320-15ikb\(i\+n\) firmwareall versions
hp lenovo ideapad 320s-14ikbr firmwareall versions
hp lenovo ideapad 320s-15ikbr firmwareall versions
hp lenovo ideapad 520s-14ikbr firmwareall versions
hp lenovo ideapad 720s-14ikb firmware< 6jcn26ww
hp lenovo ideapad flex 5-1470 firmware< 6jcn26ww
hp lenovo ideapad flex 5-1570 firmware< 6jcn26ww
hp lenovo ideapad y520-15ikbn firmwareall versions
hp lenovo tianyi 310-14ikb firmwareall versions
hp lenovo tianyi 310-15ikb firmwareall versions
hp lenovo y520-15ikba firmware< 5jcn25ww
hp lenovo y520-15ikbm firmware< 5jcn25ww
hp lenovo yoga 520-14ikb firmware< 6jcn26ww
hp lenovo yoga 520-15ikb firmware< 6jcn26ww
hp miix 720-12ikb< 3scn66ww
hp nano110-14ikb firmwareall versions
hp nano110-15ikb firmware< 5xcn24ww
hp rescuer r720-15ikbm firmware< 5xcn24ww
hp rescuer y520-15ikbm firmware< 5xcn24ww
lenovo v310-14ikb firmware< 2wcn38ww
lenovo v310-14isk firmware< 4.07
lenovo v310-15ikb firmware< 2wcn38ww
lenovo v310-15isk firmware< 0zcn47ww
hp v330-14ikb firmware< 4.07
hp v330-14isk firmware< 4.07
lenovo v510-14ikb firmware< 2wcn38ww
lenovo v510-15ikb firmware< 2wcn38ww
hp yoga 310-11iap firmware< 6.7
hp yoga 510-14isk firmware< 1.15
hp yoga 720-13ikb firmware< 2.05
hp yoga 720-13ikbr firmware< 2.07
hp yoga 720-15ikb firmware< 2.05
hp lenovo v720-14 firmware< 2.12
hp 7000 u42 firmware< 2.09

▣

Scoring & Timeline

5.9

MEDIUM · CVSS v3.1 · psirt@lenovo.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD02 Oct 2018 · 01:29 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://support.lenovo.com/us/en/solutions/LEN-20184Vendor Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin