Lenovo is warning of high-severity BIOS flaws that would let attackers bypass Safe Boot on all-in-one desktops utilizing custom-made Insyde UEFI firmware.
Units confirmed to be impacted are IdeaCentre AIO 3 24ARR9 and 27ARR9, and the Yoga AIO 27IAH10, 32ILL10, and 32IRH8.
UEFI is the trendy alternative for the standard PC BIOS, appearing as a firmware interface between the pc’s {hardware} and the OS, controlling early initialization and booting.
The failings, found by Binarly, mirror these the researchers uncovered earlier this month, which impacted dozens of Gigabyte motherboard fashions, enabling native attackers to execute arbitrary code in System Administration Mode (SMM).
The SMM is a CPU mode that’s separate from the working system (OS) and hypervisor, operating with larger privileges at a decrease stage (Ring-2). Exploiting flaws in SMM might assist attackers plant ‘undetectable’ malware, bypassing OS-level safety defenses, corresponding to SecureBoot.
InsydeH2O is without doubt one of the most generally deployed industrial UEFI BIOS frameworks utilized in OEM laptops and desktops.
Insyde additionally revealed a bulletin explaining that the failings come up from OEM-specific customizations made by Lenovo in InsydeH2O UEFI firmware photos, and don’t apply to all methods utilizing InsydeH2O UEFI.
“The newly recognized Lenovo vulnerabilities come up from the identical recurring challenges tied to inconsistencies inside the software program provide chain,” commented Binarly’s Alex Matrosov to BleepingComputer.
“All six vulnerabilities have been present in System Administration Mode (SMM)‑stage code, the invisible layer of firmware that masses earlier than your working system and persists after each re‑picture, making them excellent launch pads for stealthy implants and Safe Boot bypasses.”
The six flaws are summarized as follows:
- CVE-2025-4421: bug in an SMI handler (Callback7 through EfiSmiServices) permits an attacker to jot down to an attacker-controlled SMRAM handle utilizing an unvalidated RSI register, resulting in SMM privilege escalation and protracted firmware compromise (CVSS rating: 8.2)
- CVE-2025-4422: bug in an SMI handler (EfiSmiServices, through gEfiSmmCpuProtocol and EfiPcdProtocol) can result in SMM reminiscence corruption and privilege escalation. (CVSS rating: 8.2)
- CVE-2025-4423: bug in an SMI handler (SetupAutomationSmm) permits arbitrary reminiscence writes in SMM, resulting in SMM privilege escalation and code execution. (CVSS rating: 8.2)
- CVE-2025-4424: improper enter validation in an SMI handler (SetupAutomationSmm) permits unsanitized calls to SmmSetVariable, resulting in firmware settings manipulation. (CVSS rating: 6)
- CVE-2025-4425: stack buffer overflow in an SMI handler (SetupAutomationSmm) can result in SMM privilege escalation and arbitrary code execution. (CVSS rating: 8.2)
- CVE-2025-4426: bug in an SMI handler (SetupAutomationSmm) leaks SMRAM contents, enabling delicate data disclosure. (CVSS rating: 6)
Binarly reported the vulnerabilities to Lenovo on April 8, 2025, and acquired affirmation from the corporate on June 16. The coordinated disclosure was revealed yesterday, following the expiration of the 90-day disclosure window.
Lenovo has launched firmware safety updates for IdeaCenter AIO 3 fashions, urging customers to improve to model O6BKT1AA.
Yoga AIO updates aren’t at the moment accessible, however the laptop vendor plans to launch fixes between September 30 and November 30, 2025.
Comprise rising threats in actual time – earlier than they influence your online business.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
