CVE-2026-0827

HIGH

Lenovo Diagnostics < 5.26.0 and Lenovo Vantage < 4.7.1.4 - Authenticated Arbitrary File Write via Hardware Scan

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-0827. PoCs published by adminlove520, ZeroMemoryEx, XZ1r0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-0827, which leverages a directory junction vulnerability in Lenovo LDE to achieve arbitrary file write with SYSTEM privileges. The PoC creates a mount point and symlink to redirect file writes to an attacker-controlled location.

Description

During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.

Exploits (3)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-0827

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-0827, which leverages a directory junction vulnerability in Lenovo LDE to achieve arbitrary file write with SYSTEM privileges. The PoC creates a mount point and symlink to redirect file writes to an attacker-controlled location.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo LDE (LdeApi.Server.exe)

No auth needed

Prerequisites: Low-privileged user access · Lenovo LDE service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 09, 2026 Full analysis →

nomisec WORKING POC 1 stars

by ZeroMemoryEx · poc

https://github.com/ZeroMemoryEx/CVE-2026-0827

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-0827, which leverages a directory junction vulnerability in Lenovo LDE to achieve arbitrary file write with SYSTEM privileges. The PoC creates a mount point and symbolic link to redirect file writes to an attacker-controlled location.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo LDE (LdeApi.Server.exe)

No auth needed

Prerequisites: Low-privileged user access · Lenovo LDE service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 16, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-0827

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-0827, which leverages a directory junction vulnerability in Lenovo LDE to achieve arbitrary file write with SYSTEM privileges. The exploit creates a mount point and symbolic link to redirect file writes to an attacker-controlled location.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Lenovo LDE (LdeApi.Server.exe)

No auth needed

Prerequisites: Low-privileged user access on a system with Lenovo LDE installed · Ability to create directories in C:\ProgramData\

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

https://support.lenovo.com/us/en/product_security/LEN-210693

Scores

CVSS v3 7.1

EPSS 0.0002

EPSS Percentile 5.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-59

Status published

Products (2)

Lenovo/Diagnostics < 5.26.0

Lenovo/Vantage < 4.7.1.4

Published Apr 15, 2026

Tracked Since Apr 15, 2026