CVE-2025-13453 identifies a vulnerability in Lenovo's ThinkPlus FU100 Gen 1 USB drives where sensitive data stored on the device is not encrypted, classified under CWE-311 (Missing Encryption of Sensitive Data). This flaw allows any individual with physical access to the USB drive to directly read stored data without needing authentication or user interaction. The vulnerability was published on January 14, 2026, with a CVSS 4.0 base score of 5.1, indicating medium severity. The attack vector is physical (AV:P), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality (VC:H) but does not affect integrity or availability. No patches or firmware updates have been released by Lenovo to address this issue, and no known exploits have been observed in the wild. The lack of encryption means that if the device is lost, stolen, or accessed by unauthorized personnel, sensitive data can be easily extracted. This vulnerability highlights the critical importance of encryption for portable storage devices, especially those used in enterprise environments where data confidentiality is paramount.

The primary impact of CVE-2025-13453 is the compromise of data confidentiality. Organizations relying on Lenovo ThinkPlus FU100 Gen 1 USB drives for storing sensitive or proprietary information face the risk of data leakage if the devices fall into unauthorized hands. This could lead to exposure of intellectual property, personal identifiable information (PII), or confidential business data. Although the vulnerability does not affect data integrity or availability, the breach of confidentiality alone can result in regulatory non-compliance, reputational damage, and potential financial losses. The requirement for physical access limits the scope of exploitation to scenarios involving lost, stolen, or improperly secured devices. However, in environments with high employee turnover, travel, or remote work, the risk of physical device compromise increases. The absence of encryption also undermines trust in the device's security, potentially affecting Lenovo's reputation and customer confidence.

To mitigate the risks posed by CVE-2025-13453, organizations should implement the following specific measures: 1) Immediately audit and identify all Lenovo ThinkPlus FU100 Gen 1 USB drives in use and restrict their use for storing sensitive data. 2) Enforce strict physical security controls to prevent unauthorized access to USB drives, including secure storage and access logging. 3) Replace affected USB drives with devices that provide hardware-based encryption or use software encryption solutions such as BitLocker To Go or VeraCrypt to secure data before writing to the drive. 4) Implement endpoint security policies that disable or restrict USB port usage where feasible to reduce data exfiltration risks. 5) Educate employees on the risks of using unencrypted portable storage and enforce data handling policies that prohibit storing sensitive information on unencrypted devices. 6) Monitor for lost or stolen devices and have an incident response plan to address potential data breaches. 7) Engage with Lenovo for updates or firmware patches and apply them promptly once available. These steps go beyond generic advice by focusing on device inventory, encryption enforcement, and organizational policy adjustments tailored to this vulnerability.