CVE-2025-13154

Published Jan 14, 2026

Last updated a month ago

CVSS medium 6.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-13154 describes an improper link following vulnerability found within the SmartPerformanceAddin component of Lenovo Vantage. This flaw enables an authenticated local user to execute arbitrary file deletion operations with elevated privileges. The vulnerability is characterized by a local attack vector, requiring low attack complexity and low privileges for successful exploitation, with no user interaction necessary. Its primary impact is on the availability of the affected system, allowing for significant disruption through file deletion.

Description
An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges.
Source
psirt@lenovo.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.8
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

psirt@lenovo.com
CWE-59

Social media

Hype score
Not currently trending

  1. John Ostrowski (Compass Security) and Manuel Kiesel (Cyllective AG) worked together on CVE-2025-13154, a Lenovo Vantage LPE. Even after Microsoft closed a known primitive, collaboration led to a working PoC. https://t.co/vunXyr408d #Windows #CVE #SecurityResearch #PrivEsc https

    @compasssecurity

    10 Feb 2026

    2795 Impressions

    12 Retweets

    37 Likes

    10 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 New blog post! Read about CVE-2025-13154, a privilege-escalation vulnerability in a Lenovo Vantage add-in called SmartPerformance. https://t.co/kKq0rEBqTL #windows #cve #infosec #pentest

    @cyllective

    17 Jan 2026

    118 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨 New blog post! Read about CVE-2025-13154, a privilege escalation vulnarbility in a Lenovo Vantage addin called SmartPerformance. https://t.co/kKq0rEBqTL #windows #cve #infosec #pentest

    @cyllective

    16 Jan 2026

    94 Impressions

    3 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. CVE-2025-13154 Lenovo Vantage SmartPerformanceAddin Local Privilege Escalation via File Deletion https://t.co/kpJcjYheSx

    @VulmonFeeds

    15 Jan 2026

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.