Vulnerability Details : CVE-2021-3897
An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
Products affected by CVE-2021-3897
- cpe:2.3:o:ibm:nextscale_fan_power_controller_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:nextscale_n1200_enclosure_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:thinkagile_hx_enclosure_certified_node_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:thinkagile_vx_enclosure_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:thinksystem_d2_enclosure_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3897
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3897
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Lenovo Group Ltd. |
CWE ids for CVE-2021-3897
-
The product requires authentication, but the product has an alternate path or channel that does not require authentication.Assigned by: psirt@lenovo.com (Secondary)
References for CVE-2021-3897
-
https://support.lenovo.com/us/en/product_security/LEN-72615
Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware - Lenovo Support NLVendor Advisory
Jump to