CVE-2026-14371
Lenovo · XClarity Integrator for Microsoft Windows Admin Center
The Lenovo XClarity Integrator for Microsoft Windows Admin Center is vulnerable to OS command injection, allowing authenticated users to execute arbitrary commands.
Executive summary
Lenovo XClarity Integrator for Microsoft Windows Admin Center versions 4.7.1 through 5.1.1 are susceptible to an OS command injection vulnerability that could result in total system compromise.
Vulnerability
This is an OS command injection vulnerability caused by the improper neutralization of special elements in user-supplied input. The attack requires an authenticated user with low privileges to trigger the flaw.
Business impact
Successful exploitation allows an authenticated attacker to execute arbitrary commands on the underlying host, leading to a total loss of confidentiality, integrity, and availability. This risk is significant, as the affected software is used for infrastructure management, potentially granting attackers administrative control over the managed environment. The CVSS score of 8.8 underscores the gravity of this security lapse.
Remediation
Immediate Action: Update the XClarity Integrator for Microsoft Windows Admin Center to version 5.2 or later.
Proactive Monitoring: Monitor system logs for unexpected process execution or abnormal administrative activity originating from the integration service.
Compensating Controls: Implement strict access control lists to limit the number of users who can interact with the plugin, thereby reducing the pool of potential attackers.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
The vulnerability represents a significant risk to the integrity of managed infrastructure. Organizations must apply the vendor-provided update to version 5.2 without delay to eliminate the risk of arbitrary command execution.