CVE-2025-13454 is a vulnerability identified in the Lenovo ThinkPlus FU100 Gen 1 device, specifically within its configuration software. The issue stems from the cleartext transmission of sensitive information, classified under CWE-319, which denotes the exposure of sensitive data during network communication without encryption. This vulnerability requires a local authenticated user to exploit, meaning the attacker must have some level of access to the device or system where the software is installed. Once exploited, the attacker can intercept or access sensitive device information that should otherwise be protected. The CVSS 4.0 vector indicates that the attack vector is local (AV:L), with low attack complexity (AC:L), no attack prerequisites (AT:N), and requires privileges (PR:L). There is no user interaction (UI:N) needed, and the vulnerability impacts confidentiality (VC:H) but not integrity or availability. The lack of known exploits in the wild and absence of patches suggests this is a newly disclosed issue. The vulnerability's root cause is the failure to encrypt sensitive data during transmission within the local environment, which could be leveraged by malicious insiders or compromised local accounts to gather device information that might facilitate further attacks or unauthorized access.

The primary impact of CVE-2025-13454 is the potential compromise of confidentiality of sensitive device information on Lenovo ThinkPlus FU100 Gen 1 devices. If exploited, attackers with local authenticated access could intercept or retrieve sensitive configuration or operational data, which might include credentials, device identifiers, or configuration parameters. This information leakage could facilitate lateral movement within an organization’s network, aid in privilege escalation, or enable targeted attacks against the affected devices or connected infrastructure. While the vulnerability does not directly affect system integrity or availability, the exposure of sensitive information can undermine trust in the device’s security posture and lead to broader security incidents. Organizations relying on these devices in sensitive environments, such as enterprise offices, government agencies, or critical infrastructure, could face increased risk of insider threats or local compromise. The medium severity rating reflects the limited attack vector but significant confidentiality impact if exploited.

To mitigate CVE-2025-13454, organizations should implement strict access controls to limit local authenticated access to trusted personnel only, reducing the risk of exploitation by unauthorized users. Network segmentation and endpoint security measures can help contain potential attackers with local access. Monitoring and logging local user activities on devices running ThinkPlus FU100 software can provide early detection of suspicious behavior. Since no patches are currently available, Lenovo users should stay alert for official updates or firmware/software patches addressing this vulnerability and apply them promptly once released. Additionally, organizations can consider encrypting local communications at the network level using VPNs or secure tunnels to add an extra layer of protection against interception. Reviewing and hardening device configuration and disabling unnecessary services that transmit sensitive data in cleartext can further reduce exposure. Finally, educating users about the risks of local credential compromise and enforcing strong authentication policies will help mitigate the threat.