CVE-2025-13453 identifies a vulnerability in Lenovo's ThinkPlus FU100 Gen 1 USB drives characterized by the absence of encryption for sensitive data stored on the device. Classified under CWE-311 (Missing Encryption of Sensitive Data), this flaw means that any data saved on these USB drives is stored in plaintext or otherwise unprotected form. An attacker with physical access to the device can directly read the data without needing any authentication or user interaction, significantly lowering the barrier to exploitation. The CVSS 4.0 vector (AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) indicates that while physical access is required, the attack complexity is low, and the impact on confidentiality, integrity, and availability is high. No patches or firmware updates have been released yet, and no exploits have been observed in the wild. This vulnerability poses a critical risk for data confidentiality, especially in environments where these USB drives are used to transport or store sensitive corporate or personal data. Since the vulnerability is hardware-based and tied to the device’s design, software mitigations may be limited, necessitating alternative protective measures. The vulnerability was publicly disclosed in January 2026, with Lenovo as the vendor, highlighting the need for immediate risk assessment and mitigation by affected users.

For European organizations, the primary impact is the potential exposure of sensitive data stored on ThinkPlus FU100 Gen 1 USB drives if devices are lost, stolen, or accessed by unauthorized personnel. This can lead to data breaches involving personal data, intellectual property, or confidential business information, resulting in regulatory penalties under GDPR and reputational damage. The vulnerability affects confidentiality most severely but also impacts data integrity and availability if attackers modify or delete data. Sectors relying heavily on portable storage for secure data transport, such as finance, healthcare, government, and critical infrastructure, face elevated risks. The ease of exploitation without authentication or user interaction increases the threat level, especially in environments with less stringent physical security controls. The lack of encryption means that traditional endpoint security solutions may not detect or prevent data extraction from the device. This vulnerability could also complicate compliance with European data protection laws that mandate encryption of sensitive data at rest. Organizations may face increased costs related to incident response, forensic investigations, and potential legal liabilities.

Given the hardware nature of the vulnerability and absence of available patches, European organizations should immediately cease using Lenovo ThinkPlus FU100 Gen 1 USB drives for storing sensitive data. Implement full disk encryption solutions at the operating system or application level before writing data to the USB drive to ensure data confidentiality. Employ strict physical security controls to limit access to USB drives, including secure storage and inventory management. Use endpoint security tools capable of monitoring USB device usage and data transfers to detect unauthorized activities. Educate employees on the risks of using unencrypted portable storage devices and enforce policies restricting their use for sensitive information. Consider transitioning to USB drives with built-in hardware encryption certified by recognized standards (e.g., FIPS 140-2). Regularly audit and review data handling practices involving portable media to ensure compliance with GDPR and internal security policies. If retention of these devices is unavoidable, implement layered security controls such as password protection combined with software encryption. Monitor threat intelligence sources for any emerging exploits and Lenovo advisories for firmware updates or device replacements.