Lenovo XClarity Orchestrator Local Network API Channel Abuse
CVE-2025-8557 Published on September 11, 2025
An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.
Vulnerability Analysis
Weakness Type
Unprotected Alternate Channel
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.
Products Associated with CVE-2025-8557
Want to know whenever a new CVE is published for Lenovo Xclarity Orchestrator? stack.watch will email you.
Affected Versions
Lenovo XClarity Orchestrator (LXCO):- Before 2.2.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.