[pilif]

I really don't agree with the severity rating. Instant admin-access by just plugging in a USB stick is exactly what malware like the ever-loved Stuxnet use(d) as a jump-start to get their other exploits and backdoors going.

It's like the various autorun exploits, but better because you don't need an additional privilege escalation vulnerability and you get to execute your attack even if autorun is turned off completely.

[mistercow]

Yeah, the severity rating seems rather oblivious to simple social engineering. Leave a USB stick on a desk with a sticky note attached to it saying "Urgent, please review", and guess what is going to happen to that USB stick.

Being able to compromise a system via a mundane and apparently benign action is never low-severity.

[Dylan16807]

You have to be running an exploit program while you play with the USB stick.