{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2368", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2026-02-11T20:29:58.887Z", "datePublished": "2026-03-11T20:21:05.818Z", "dateUpdated": "2026-03-12T16:19:05.164Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "FileZ", "vendor": "Lenovo", "versions": [{"lessThan": "10.12.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["Android"], "product": "FileZ", "vendor": "Lenovo", "versions": [{"lessThan": "11.1.0.35", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:filez:*:*:windows:*:*:*:*:*", "versionEndExcluding": "10.12.3.0", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:filez:*:*:android:*:*:*:*:*", "versionEndExcluding": "11.1.0.35", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.&nbsp;"}], "value": "An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 7.5, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2026-03-11T20:21:05.818Z"}, "references": [{"url": "https://www.filez.com/securityPolicy"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update&nbsp;Lenovo&nbsp;FileZ&nbsp;Android&nbsp;application to version&nbsp;11.1.0.35&nbsp;or&nbsp;later.&nbsp;"}], "value": "Update\u00a0Lenovo\u00a0FileZ\u00a0Android\u00a0application to version\u00a011.1.0.35\u00a0or\u00a0later."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div><p>Update&nbsp;Lenovo&nbsp;FileZ Windows&nbsp;application to version&nbsp;10.12.3.0&nbsp;or&nbsp;later.&nbsp;</p></div></div></div>"}], "value": "Update\u00a0Lenovo\u00a0FileZ Windows\u00a0application to version\u00a010.12.3.0\u00a0or\u00a0later."}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0-beta"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:37:56.286622Z", "id": "CVE-2026-2368", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:19:05.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T15:37:56.286622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:37:57.035Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Lenovo", "product": "FileZ", "versions": [{"status": "affected", "version": "0", "lessThan": "10.12.3.0", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Lenovo", "product": "FileZ", "versions": [{"status": "affected", "version": "0", "lessThan": "11.1.0.35", "versionType": "custom"}], "platforms": ["Android"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update\u00a0Lenovo\u00a0FileZ\u00a0Android\u00a0application to version\u00a011.1.0.35\u00a0or\u00a0later.", "supportingMedia": [{"type": "text/html", "value": "Update&nbsp;Lenovo&nbsp;FileZ&nbsp;Android&nbsp;application to version&nbsp;11.1.0.35&nbsp;or&nbsp;later.&nbsp;", "base64": false}]}, {"lang": "en", "value": "Update\u00a0Lenovo\u00a0FileZ Windows\u00a0application to version\u00a010.12.3.0\u00a0or\u00a0later.", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><p>Update&nbsp;Lenovo&nbsp;FileZ Windows&nbsp;application to version&nbsp;10.12.3.0&nbsp;or&nbsp;later.&nbsp;</p></div></div></div>", "base64": false}]}], "references": [{"url": "https://www.filez.com/securityPolicy"}], "x_generator": {"engine": "Vulnogram 1.0.0-beta"}, "descriptions": [{"lang": "en", "value": "An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.", "supportingMedia": [{"type": "text/html", "value": "An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.&nbsp;", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:filez:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.12.3.0", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:filez:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.1.0.35", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2026-03-11T20:21:05.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2368", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:19:05.164Z", "dateReserved": "2026-02-11T20:29:58.887Z", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "datePublished": "2026-03-11T20:21:05.818Z", "assignerShortName": "lenovo"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code."}], "id": "CVE-2026-2368", "lastModified": "2026-03-12T21:08:22.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:15.473", "references": [{"source": "psirt@lenovo.com", "url": "https://www.filez.com/securityPolicy"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.12.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FileZ", "source": "cna", "vendor": "Lenovo"}, "product": "filez", "vendor": "lenovo"}, {"configurations": [{"platform": ["android"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.1.0.35)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FileZ", "source": "cna", "vendor": "Lenovo"}, "product": "filez", "vendor": "lenovo"}], "analysis": {"en": {"generated_at": "2026-03-17T17:32:41.448005+00:00", "value": {"mitigation_remediation": ["Update Lenovo FileZ Android application to version 11.1.0.35 or later", "Update Lenovo FileZ Windows application to version 10.12.3.0 or later"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Improper Certificate Validation"}, "threat_synthesis": {"affected_systems": "Both the Android and Windows editions of Lenovo FileZ are vulnerable. Lenovo recommends updating the Android app to version\u202f11.1.0.35 or later and the Windows app to version\u202f10.12.3.0 or later. Administrators should verify the installed version and apply these updates promptly.", "description_and_impact": "An improper certificate validation flaw (CWE-295) in the Lenovo FileZ application allows an attacker who can intercept network traffic to present a forged certificate that the app will accept. This defect enables arbitrary code execution on the device, compromising execution integrity and potentially granting full control of the system.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than\u202f1\u202f% suggests a low current probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is a man\u2011in\u2011the\u2011middle or similar network interception scenario that permits the attacker to trigger the flaw without additional user interaction."}}}}, "created": "2026-03-12T09:56:09.377632+00:00", "title": "Improper Certificate Validation in Lenovo FileZ Allows Arbitrary Code Execution", "updated": "2026-03-20T15:37:16.343552+00:00", "vendors": ["lenovo", "lenovo$PRODUCT$filez"]}