Article illustration 1

Lenovo is scrambling to address a series of high-severity UEFI firmware vulnerabilities that threaten the security of its popular all-in-one (AIO) desktops. The flaws, discovered by cybersecurity firm Binarly, could allow attackers to bypass Secure Boot—a critical defense mechanism that verifies the integrity of boot processes—and execute malicious code with the highest system privileges. Affected models include the IdeaCentre AIO 3 24ARR9 and 27ARR9, alongside the Yoga AIO 27IAH10, 32ILL10, and 32IRH8.

UEFI (Unified Extensible Firmware Interface) serves as the modern successor to the legacy BIOS, acting as the foundational layer between hardware and the operating system during boot-up. The vulnerabilities specifically lurk within Lenovo's customized implementation of InsydeH2O, a widely used commercial UEFI framework. According to Binarly, all six flaws originate from "inconsistencies within the software supply chain," where OEM-specific modifications introduced critical security gaps.

"All six vulnerabilities were found in System Management Mode (SMM)‑level code, the invisible layer of firmware that loads before your operating system and persists after every re‑image, making them perfect launch pads for stealthy implants and Secure Boot bypasses," explained Alex Matrosov, CEO of Binarly, in correspondence with BleepingComputer.

SMM operates at Ring-2, a CPU privilege level deeper than the OS or hypervisor, granting attackers near-total control over the system if compromised. The flaws enable scenarios like arbitrary code execution, memory corruption, and sensitive data leakage, effectively creating a foothold for persistent firmware-level malware that evades traditional security tools.

Technical Breakdown of Vulnerabilities

The six CVEs, all rated high-severity (CVSS scores up to 8.2), include:

  • CVE-2025-4421, CVE-2025-4422, CVE-2025-4423, and CVE-2025-4425: Allow SMM privilege escalation via unvalidated input or buffer overflows in SMI handlers, leading to arbitrary code execution.
  • CVE-2025-4424: Enables firmware settings manipulation through improper input validation.
  • CVE-2025-4426: Exposes sensitive SMRAM contents via an information leak.

These vulnerabilities mirror issues Binarly identified in Gigabyte motherboards earlier this month, underscoring a troubling pattern of supply chain weaknesses in UEFI implementations. Insyde Software clarified that the flaws stem from Lenovo's customizations and do not affect all InsydeH2O deployments.

Disclosure and Mitigation Timeline

Binarly reported the vulnerabilities to Lenovo on April 8, 2025, with confirmation received on June 16. The public disclosure followed the expiration of a 90-day window. Lenovo has released firmware update O6BKT1AA for IdeaCentre AIO 3 models, urging immediate installation. Updates for Yoga AIO devices are slated for release between September and November 2025, leaving those systems temporarily exposed.

This incident serves as a stark reminder that firmware security is the next frontier in cyber defense. As attackers increasingly target low-level components, vendors must prioritize rigorous auditing of supply chain customizations—and users must treat firmware updates with the same urgency as OS patches. The persistence of such vulnerabilities across major hardware vendors signals a systemic challenge that demands industry-wide collaboration to harden the invisible layers guarding our systems.

Source: BleepingComputer