Lenovo is warning of high-severity BIOS flaws that might let attackers bypass Safe Boot on all-in-one desktops utilizing custom-made Insyde UEFI firmware.
Gadgets confirmed to be impacted are IdeaCentre AIO 3 24ARR9 and 27ARR9, and the Yoga AIO 27IAH10, 32ILL10, and 32IRH8.
UEFI is the fashionable alternative for the standard PC BIOS, performing as a firmware interface between the pc’s {hardware} and the OS, controlling early initialization and booting.
The failings, found by Binarly, mirror these the researchers uncovered earlier this month, which impacted dozens of Gigabyte motherboard fashions, enabling native attackers to execute arbitrary code in System Administration Mode (SMM).
The SMM is a CPU mode that’s separate from the working system (OS) and hypervisor, operating with greater privileges at a decrease stage (Ring-2). Exploiting flaws in SMM might assist attackers plant ‘undetectable’ malware, bypassing OS-level security defenses, equivalent to SecureBoot.
InsydeH2O is without doubt one of the most generally deployed business UEFI BIOS frameworks utilized in OEM laptops and desktops.
Insyde additionally printed a bulletin explaining that the issues come up from OEM-specific customizations made by Lenovo in InsydeH2O UEFI firmware pictures, and don’t apply to all methods utilizing InsydeH2O UEFI.
“The newly recognized Lenovo vulnerabilities come up from the identical recurring challenges tied to inconsistencies inside the software program provide chain,” commented Binarly’s Alex Matrosov to BleepingComputer.
“All six vulnerabilities have been present in System Administration Mode (SMM)‑stage code, the invisible layer of firmware that masses earlier than your working system and persists after each re‑picture, making them good launch pads for stealthy implants and Safe Boot bypasses.”
The six flaws are summarized as follows:
- CVE-2025-4421: bug in an SMI handler (Callback7 by way of EfiSmiServices) permits an attacker to jot down to an attacker-controlled SMRAM deal with utilizing an unvalidated RSI register, resulting in SMM privilege escalation and protracted firmware compromise (CVSS rating: 8.2)
- CVE-2025-4422: bug in an SMI handler (EfiSmiServices, by way of gEfiSmmCpuProtocol and EfiPcdProtocol) can result in SMM reminiscence corruption and privilege escalation. (CVSS rating: 8.2)
- CVE-2025-4423: bug in an SMI handler (SetupAutomationSmm) permits arbitrary reminiscence writes in SMM, resulting in SMM privilege escalation and code execution. (CVSS rating: 8.2)
- CVE-2025-4424: improper enter validation in an SMI handler (SetupAutomationSmm) permits unsanitized calls to SmmSetVariable, resulting in firmware settings manipulation. (CVSS rating: 6)
- CVE-2025-4425: stack buffer overflow in an SMI handler (SetupAutomationSmm) can result in SMM privilege escalation and arbitrary code execution. (CVSS rating: 8.2)
- CVE-2025-4426: bug in an SMI handler (SetupAutomationSmm) leaks SMRAM contents, enabling delicate info disclosure. (CVSS rating: 6)
Binarly reported the vulnerabilities to Lenovo on April 8, 2025, and acquired affirmation from the corporate on June 16. The coordinated disclosure was printed yesterday, following the expiration of the 90-day disclosure window.
Lenovo has launched firmware security updates for IdeaCenter AIO 3 fashions, urging customers to improve to model O6BKT1AA.
Yoga AIO updates aren’t at present out there, however the laptop vendor plans to launch fixes between September 30 and November 30, 2025.
Include rising threats in actual time – earlier than they impression your small business.
Learn the way cloud detection and response (CDR) provides security groups the sting they want on this sensible, no-nonsense information.
