CVE-2025-14058 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) found in Lenovo Tab M11 models TB330FU and TB330XU. The flaw arises when the device is locked, and the setting 'Allow Control Center access when locked' is disabled, yet an unauthorized user with physical access can still modify Control Center settings without authentication. This indicates a failure in enforcing authentication controls on critical device functions when the device is locked. The vulnerability requires physical proximity and user interaction, as the attacker must access the device physically and interact with the Control Center interface. The CVSS v4.0 score is 2.4, reflecting low severity due to limited impact and exploitation complexity. The vulnerability primarily threatens device integrity by allowing unauthorized configuration changes, which could lead to further misuse or disruption. Confidentiality is not directly impacted, and availability impact is limited. No known exploits have been reported, and no patches are currently available. The vulnerability highlights a security design oversight in Lenovo's implementation of access controls on locked devices, potentially allowing attackers to bypass intended restrictions on critical functions.

For European organizations, the impact of CVE-2025-14058 is generally low but context-dependent. Organizations that deploy Lenovo Tab M11 tablets in sensitive environments where physical device access cannot be strictly controlled may face risks of unauthorized configuration changes. Such changes could facilitate further attacks or disrupt device functionality, potentially affecting operational continuity. However, since the vulnerability requires physical access and user interaction, remote exploitation is not feasible, limiting large-scale impact. Confidential data confidentiality remains intact, but integrity and availability could be marginally affected if attackers manipulate device settings. Sectors with high reliance on mobile devices for critical operations, such as government agencies, healthcare, and finance, should be particularly cautious. The absence of known exploits reduces immediate threat levels, but the vulnerability should be addressed proactively to prevent potential misuse.

To mitigate CVE-2025-14058, European organizations should implement strict physical security controls to prevent unauthorized access to Lenovo Tab M11 devices, including secure storage and access policies. Administrators should verify and, if possible, disable the 'Allow Control Center access when locked' setting to ensure it is correctly enforced. Regular audits of device configurations can help detect unauthorized changes. Employing device management solutions that enforce security policies and remotely monitor device status can further reduce risk. Lenovo should be engaged to provide patches or firmware updates addressing this vulnerability; until then, organizations should limit physical access and educate users on the risks. Additionally, consider deploying endpoint security solutions that can detect anomalous configuration changes. For high-risk environments, alternative devices with stronger locked-state protections may be considered.