CVE-2025-14058 in Tab M11 TB330FU TB330XU
Summary
by MITRE • 01/15/2026
A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/15/2026
This vulnerability represents a critical authentication bypass issue affecting certain Lenovo tablet models where insufficient access controls are implemented for the Control Center functionality. The flaw exists in the device's security architecture when the "Allow Control Center access when locked" setting is disabled, yet physical access remains sufficient to manipulate system configurations through the Control Center interface. This represents a fundamental failure in the device's security model where the absence of proper authentication mechanisms allows unauthorized modification of critical system settings. The vulnerability is particularly concerning because it operates at the device-level interface rather than through network-based attacks, making it accessible to anyone with physical possession of the device.
The technical implementation of this flaw stems from inadequate validation of user credentials and authorization states within the Control Center access layer. When a device is locked, the system should enforce strict authentication requirements before granting access to administrative functions, but the vulnerability indicates that the authentication check is either bypassed or improperly implemented. This misconfiguration creates a privilege escalation path where an attacker with physical access can modify system settings without proper authorization. The vulnerability is classified as a missing authentication issue under CWE-287, which specifically addresses authentication failures that allow unauthorized access to protected resources. The flaw operates in a manner consistent with ATT&CK technique T1547.001, which involves establishing persistence through system service manipulation, though in this case the impact is more focused on unauthorized configuration changes rather than service manipulation.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially compromising the device's overall security posture. An attacker could modify critical system settings including network configurations, security policies, or other Control Center functions that might affect device integrity and data protection. This vulnerability is particularly dangerous in enterprise environments where tablet devices may contain sensitive corporate data or serve as access points to critical infrastructure. The physical access requirement does not eliminate the threat, as devices are often left unattended in public spaces or accessible to unauthorized personnel. The vulnerability affects the device's ability to maintain proper security boundaries and could potentially enable further attacks such as credential theft or data exfiltration through modified network settings.
Mitigation strategies should focus on implementing proper authentication enforcement mechanisms within the device's Control Center interface. Organizations should immediately disable the "Allow Control Center access when locked" option across all affected Lenovo tablet deployments and conduct comprehensive inventory checks to identify vulnerable devices. Device manufacturers should ensure that proper authentication checks are enforced regardless of the device's lock state, implementing multi-factor authentication requirements for access to administrative functions. Security patches should be applied to address the underlying implementation flaw, and system administrators should monitor for any unauthorized configuration changes that might indicate exploitation attempts. The vulnerability highlights the importance of proper access control implementation and reinforces the need for robust security testing of device-level interfaces to prevent similar issues in the future.