Lenovo UEFI Updates Patch Critical Secure Boot Vulnerabilities
▼ Summary
– Lenovo warns of high-severity BIOS flaws in certain all-in-one desktops, allowing attackers to bypass Secure Boot via customized Insyde UEFI firmware.
– Affected devices include IdeaCentre AIO 3 24ARR9, 27ARR9, and Yoga AIO models 27IAH10, 32ILL10, and 32IRH8.
– The flaws, discovered by Binarly, enable attackers to execute arbitrary code in System Management Mode (SMM), bypassing OS-level security defenses.
– Six vulnerabilities (CVE-2025-4421 to CVE-2025-4426) were identified, with CVSS scores up to 8.2, allowing SMM privilege escalation and persistent firmware compromise.
– Lenovo has released firmware updates for IdeaCentre AIO 3 models, while fixes for Yoga AIO models are expected between September and November 2025.
Lenovo has issued critical firmware updates to address multiple high-risk vulnerabilities affecting Secure Boot functionality in several all-in-one desktop models. These security flaws, discovered in customized UEFI firmware implementations, could allow attackers to bypass critical security protections and execute malicious code at the firmware level.
The affected devices include IdeaCentre AIO 3 24ARR9 and 27ARR9, along with Yoga AIO 27IAH10, 32ILL10, and 32IRH8 models. UEFI firmware serves as the bridge between hardware and the operating system, managing early boot processes with higher privileges than the OS itself.
Security researchers at Binarly identified six distinct vulnerabilities, all residing in System Management Mode (SMM), a privileged CPU execution environment that operates independently of the operating system. Exploiting these flaws could enable attackers to install persistent malware, manipulate firmware settings, or leak sensitive memory contents, all while evading traditional security measures like Secure Boot.
The vulnerabilities stem from OEM-specific modifications made by Insyde Software to their InsydeH2O UEFI firmware for Lenovo devices. Unlike standard implementations, these customizations introduced weaknesses in SMI (System Management Interrupt) handlers, allowing unauthorized memory writes, privilege escalation, and information disclosure.
Key vulnerabilities include CVE-2025-4421: Unvalidated register usage in an SMI handler leading to SMM privilege escalation (CVSS 8.2). Binarly disclosed these issues to Lenovo in April 2025, with fixes now being rolled out. IdeaCentre AIO 3 users should immediately update to firmware version O6BKT1AA, while patches for Yoga AIO models are expected by late November 2025.
These findings highlight ongoing challenges in firmware security, particularly where custom OEM modifications introduce unexpected risks. Unlike software vulnerabilities, firmware flaws persist across OS reinstalls, making them particularly dangerous for long-term device security.
Lenovo has clarified that the vulnerabilities resulted from Insyde’s firmware customizations rather than its own modifications. Users of affected systems should monitor Lenovo’s support portal for firmware updates and apply them as soon as they become available.
(Source: Bleeping Computer)