CVE-2018-9085

Name: CVE-2018-9085
Creator: NVD / NIST
Published: 2018-11-16T14:29:00.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.66%

Last modified Jun 17, 2026

CVE-2018-9085 is a vulnerability of currently unknown severity. A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.. EPSS estimates a 0.66% chance of exploitation in the next 30 days.

Description

A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.

Metrics

EPSS Probability

0.66%

47.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-276

Affected Software

Vendor	Product	Versions
Lenovo	Flex System X240 M4 Firmware	< a3e122b
Lenovo	Flex System X440 M4 Firmware	< cge122b
Lenovo	System X3750 M4 Firmware	< a5e124b
Ibm	Bladecenter Hs23 Firmware	< tke160c
Ibm	Bladecenter Hs23e Firmware	< ahe160c
Ibm	Flex System X220 M4 Firmware	< kse158c
Ibm	Flex System X222 M4 Firmware	< cce160c
Ibm	Flex System X240 M4 Firmware	< ahe160c
Ibm	Flex System X280 X6 Firmware	< n3e132w
Ibm	Flex System X440 M4 Firmware	< cne162d
Ibm	Flex System X480 X6 Firmware	< n3e132w
Ibm	Flex System X880 X6 Firmware	< n2e130e
Ibm	Idataplex Dx360 M4 Firmware	< fhe120d
Ibm	Idataplex Dx360 M4 Water Cooled Firmware	< fhe120d
Ibm	System X3100 M4 Firmware	< jqe184c
Ibm	System X3100 M5 Firmware	< j9e134c
Ibm	System X3250 M4 Firmware	< jqe184c
Ibm	System X3250 M5 Firmware	< jue134c
Ibm	System X3300 M4 Firmware	< yae156c
Ibm	System X3500 M4 Firmware	< y5e158c
Ibm	System X3530 M4 Firmware	< bee164c
Ibm	System X3550 M4 Firmware	< d7e166d
Ibm	System X3630 M4 Firmware	< vve162c
Ibm	System X3650 M4 Firmware	< vve160c
Ibm	System X3650 M4 Bd Firmware	< vve160c
Ibm	System X3650 M4 Hd Firmware	< vve160c
Ibm	System X3750 M4 Firmware	< koe160c
Ibm	System X3850 X6 Firmware	< a8e128c
Ibm	System X3950 X6 Firmware	< bee164c

References

https://support.lenovo.com/us/en/solutions/LEN-24477Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24477Vendor Advisory

Timeline

Published: Nov 16, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-9085?

How severe is CVE-2018-9085?

Severity scoring for CVE-2018-9085 is pending analysis. The EPSS model estimates a 0.66% probability of exploitation in the next 30 days.

How do I fix CVE-2018-9085?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-9085?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST