CVE-2022-40283: command injection flaw affects multiple Lenovo products

Lenovo has issued a security advisory to warn of a medium-severity Quectel Wireless WAN driver vulnerability impacting multiple devices in the various models. Exploiting the flaws may lead to execute specific adapter commands.

Track as CVE-2022-40283, the bug caused by a flaw in the Quectel EM05-CE Wireless WAN driver. By sending a specially crafted request, an attacker could exploit this vulnerability to execute specific adapter commands.

CVE-2022-40283 impacts dozens of devices in various models, including Lenovo L14 Gen 2 Type 20X1 20X2 Laptops
Lenovo L15 Gen 2 Type 20X3 20X4 Laptop, Lenovo P1 Gen 4 (type 20Y3, 20Y4 ) Laptop, Lenovo P14s Gen 2 (Type 20VX, 20VY) Laptop, and more…

The bug was fixed in version 2.0.12. The user can view a complete list of the impacted computer models and the Quectel Wireless WAN driver version that fixes this vulnerability on the Lenovo website, with links to the download portal for each model.

Alternatively, you can navigate to the Drivers & Software support site for your product:

1. Search for your product by name or machine type.
2. Click Drivers & Software on the left menu panel.
3. Click on Manual Update to browse by Component type.
4. Compare the minimum fixed version for your product from the applicable product table below with the latest version posted on the support site.