Lenovo is warning users that several BIOS security vulnerabilities have been discovered in Lenovo IdeaCentre and Yoga All-In-One desktops. The support document states that local attackers can execute malicious code in System Management Mode (SMM).
This access is often not recognized and is difficult to reverse as it involves an even higher authorization level than the kernel level. Even a complete reinstallation of the system is therefore not sufficient to detect and remove any deeply embedded malware once it has been injected, which makes these vulnerabilities particularly dangerous.
Which Lenovo models are affected?
The security vulnerabilities—labeled CVE-2025-4421, CVE-2025-4422, CVE-2025-4423, CVE-2025-4424, CVE-2025-4425, and CVE-2025-4426—were discovered by security researchers from Binarly and reported to Lenovo back in April. Four of them were given high severity ratings.
According to Lenovo, the following models are known to be affected:
- Lenovo IdeaCentre AIO 3 24ARR9
- Lenovo IdeaCentre AIO 3 27ARR9
- Lenovo Yoga AIO 27IAH10
- Lenovo Yoga AIO 32ILL10
- Lenovo Yoga AIO 9 32IRH8
The vulnerability rests in the Insyde BIOS firmware, which isn’t provided by Lenovo itself but rather the Taiwanese company Insyde. That said, devices from other manufacturers don’t appear to be running this particular UEFI version and are therefore not at risk.
What you can do if you’re affected
Lenovo is working on offering comprehensive patches for the security flaws. However, these are currently only available for the two IdeaCentre models. Owners of vulnerable Lenovo Yoga AIO desktops will likely have to wait until September for corresponding updates to be ready.
To download the appropriate patch for your device, you need to find your exact model on Lenovo’s support website, then click on “Drivers and software” and then on “Manual update.” Compare the minimum version for your device in this support document with the latest version published on the support website, then download and install the latest version.
Alternatively, you can also use Lenovo’s update management tool if you have already installed it. You should also check that your PC is still secure and use a reliable antivirus program to reduce the risk of an attack if your device cannot yet be patched.
