CVE-2024-38508

7.2

HIGH CVSS 3.1

XCC Command Injection Privilege Escalation

Overview
Vulnerability Timeline

Overview

Description

A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request.

Details

INFO

Published Date :

July 26, 2024, 8:15 p.m.

Last Modified :

April 15, 2026, 12:35 a.m.

Remotely Exploit :

Yes !

Source :

[email protected]

Impact

Affected Products

The following products are affected by CVE-2024-38508 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product
1	Lenovo	thinkagile_hx_enclosure_certified_node_firmware
2	Lenovo	thinkagile_hx5530_firmware
3	Lenovo	thinkagile_hx7530_firmware
4	Lenovo	thinkagile_vx3331_firmware
5	Lenovo	thinkagile_hx1320_firmware
6	Lenovo	thinkagile_hx1321_firmware
7	Lenovo	thinkagile_hx1331_firmware
8	Lenovo	thinkagile_hx1520-r_firmware
9	Lenovo	thinkagile_hx1521-r_firmware
10	Lenovo	thinkagile_hx2320-e_firmware
11	Lenovo	thinkagile_hx2321_firmware
12	Lenovo	thinkagile_hx2330_firmware
13	Lenovo	thinkagile_hx2331_firmware
14	Lenovo	thinkagile_hx2720-e_firmware
15	Lenovo	thinkagile_hx3320_firmware
16	Lenovo	thinkagile_hx3321_firmware
17	Lenovo	thinkagile_hx3330_firmware
18	Lenovo	thinkagile_hx3375_firmware
19	Lenovo	thinkagile_hx3376_firmware
20	Lenovo	thinkagile_hx3520-g_firmware
21	Lenovo	thinkagile_hx3521-g_firmware
22	Lenovo	thinkagile_hx3720_firmware
23	Lenovo	thinkagile_hx3721_firmware
24	Lenovo	thinkagile_hx5520-c_firmware
25	Lenovo	thinkagile_hx5521-c_firmware
26	Lenovo	thinkagile_hx5531_firmware
27	Lenovo	thinkagile_hx7520_firmware
28	Lenovo	thinkagile_hx7521_firmware
29	Lenovo	thinkagile_hx7531_firmware
30	Lenovo	thinkagile_hx7820_firmware
31	Lenovo	thinkagile_hx7821_firmware
32	Lenovo	thinkagile_mx1020_firmware
33	Lenovo	thinkagile_mx3330-f_firmware
34	Lenovo	thinkagile_mx3330-h_firmware
35	Lenovo	thinkagile_mx3331-f_firmware
36	Lenovo	thinkagile_mx3331-h_firmware
37	Lenovo	thinkagile_mx3530_f_firmware
38	Lenovo	thinkagile_mx3530-h_firmware
39	Lenovo	thinkagile_mx3531-f_firmware
40	Lenovo	thinkagile_vx1320_firmware
41	Lenovo	thinkagile_vx2320_firmware
42	Lenovo	thinkagile_vx2330_firmware
43	Lenovo	thinkagile_vx3320_firmware
44	Lenovo	thinkagile_vx3330_firmware
45	Lenovo	thinkagile_vx3520-g_firmware
46	Lenovo	thinkagile_vx3530-g_firmware
47	Lenovo	thinkagile_vx3720_firmware
48	Lenovo	thinkagile_vx5520_firmware
49	Lenovo	thinkagile_vx5530_firmware
50	Lenovo	thinkagile_vx7320_n_firmware
51	Lenovo	thinkagile_vx7330_firmware
52	Lenovo	thinkagile_vx7520_firmware
53	Lenovo	thinkagile_vx7520_n_firmware
54	Lenovo	thinkagile_vx7530_firmware
55	Lenovo	thinkagile_vx7531_firmware
56	Lenovo	thinkagile_vx7820_firmware
57	Lenovo	thinksystem_sd530_firmware
58	Lenovo	thinksystem_sd630_v2_firmware
59	Lenovo	thinksystem_sd650-n_v2_firmware
60	Lenovo	thinksystem_se350_firmware
61	Lenovo	thinksystem_sn550_firmware
62	Lenovo	thinksystem_sn550_v2_firmware
63	Lenovo	thinksystem_sn850_firmware
64	Lenovo	thinksystem_sr150_firmware
65	Lenovo	thinksystem_sr158_firmware
66	Lenovo	thinksystem_sr250_firmware
67	Lenovo	thinksystem_sr250_v2_firmware
68	Lenovo	thinksystem_sr258_firmware
69	Lenovo	thinksystem_sr258_v2_firmware
70	Lenovo	thinksystem_sr530_firmware
71	Lenovo	thinksystem_sr550_firmware
72	Lenovo	thinksystem_sr570_firmware
73	Lenovo	thinksystem_sr590_firmware
74	Lenovo	thinksystem_sr630_firmware
75	Lenovo	thinksystem_sr630_v2_firmware
76	Lenovo	thinksystem_sr645_firmware
77	Lenovo	thinksystem_sr645_v3_firmware
78	Lenovo	thinksystem_sr650_firmware
79	Lenovo	thinksystem_sr650_v2_firmware
80	Lenovo	thinksystem_sr665_firmware
81	Lenovo	thinksystem_sr665_v3_firmware
82	Lenovo	thinksystem_sr670_firmware
83	Lenovo	thinksystem_sr670_v2_firmware
84	Lenovo	thinksystem_sr850_firmware
85	Lenovo	thinksystem_sr850_v2_firmware
86	Lenovo	thinksystem_sr850p_firmware
87	Lenovo	thinksystem_sr860_firmware
88	Lenovo	thinksystem_sr860_v2_firmware
89	Lenovo	thinksystem_sr950_firmware
90	Lenovo	thinksystem_st250_firmware
91	Lenovo	thinksystem_st250_v2_firmware
92	Lenovo	thinksystem_st258_firmware
93	Lenovo	thinksystem_st258_v2_firmware
94	Lenovo	thinksystem_st550_firmware
95	Lenovo	thinksystem_st650_v2_firmware
96	Lenovo	thinksystem_st658_v2_firmware
97	Lenovo	thinkagile_hx1021_edg_firmware
98	Lenovo	thinkstation_p920_workstation_firmware
99	Lenovo	thinksystem_sd650_v3_firmware
100	Lenovo	thinksystem_sd665_v3_firmware
101	Lenovo	thinksystem_sr630_v3_firmware
102	Lenovo	thinksystem_sr655_v3_firmware
103	Lenovo	thinksystem_sr675_v3_firmware
104	Lenovo	thinksystem_sr850_v3_firmware
105	Lenovo	thinksystem_sr860_v3_firmware
106	Lenovo	thinksystem_st650_v3_firmware
107	Lenovo	thinksystem_st658_v3_firmware
108	Lenovo	thinksystem_sd650_dual_node_tray_firmware
109	Lenovo	thinksystem_sr635_firmware

: Total Affected Vendor : 1 | Products : 109

Scoring

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Score	Version	Severity	Vector	Exploitability Score	Impact Score	Source
	CVSS 3.1	HIGH				[email protected]

References

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-38508.

URL	Resource
https://support.lenovo.com/us/en/product_security/LEN-156781
https://support.lenovo.com/us/en/product_security/LEN-156781

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-38508 is associated with the following CWEs:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-38508 weaknesses.

CAPEC-6: Argument Injection Argument Injection CAPEC-15: Command Delimiters Command Delimiters CAPEC-43: Exploiting Multiple Input Interpretation Layers Exploiting Multiple Input Interpretation Layers CAPEC-88: OS Command Injection OS Command Injection CAPEC-108: Command Line Execution through SQL Injection Command Line Execution through SQL Injection

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-38508 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-38508 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

CVE Modified by af854a3a-2127-422b-91ae-364da2661108

Nov. 21, 2024

Action	Type	Old Value	New Value
Added	Reference		https://support.lenovo.com/us/en/product_security/LEN-156781

CVE Received by [email protected]

Jul. 26, 2024

Action	Type	New Value
Added	Description	A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request.
Added	Reference	Lenovo Group Ltd. https://support.lenovo.com/us/en/product_security/LEN-156781 [No types assigned]
Added	CWE	Lenovo Group Ltd. CWE-78
Added	CVSS V3.1	Lenovo Group Ltd. AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.

CVE-2024-38508

XCC Command Injection Privilege Escalation

Description

INFO

July 26, 2024, 8:15 p.m.

April 15, 2026, 12:35 a.m.

Yes !

[email protected]

Affected Products

CVSS Scores

References to Advisories, Solutions, and Tools

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

CVE Modified by af854a3a-2127-422b-91ae-364da2661108

CVE Received by [email protected]

Vulnerability Scoring Details

Base CVSS Score: 7.2

Browse by Apps

CVE-2024-38508

XCC Command Injection Privilege Escalation

Description

INFO

July 26, 2024, 8:15 p.m.

April 15, 2026, 12:35 a.m.

Yes !

[email protected]

Affected Products

CVSS Scores

References to Advisories, Solutions, and Tools

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

CVE Modified by af854a3a-2127-422b-91ae-364da2661108

CVE Received by [email protected]

Vulnerability Scoring Details

Base CVSS Score: 7.2

Cookie Preferences