The advisory, designated LEN-201013, affects several popular IdeaCentre and Yoga All-In-One desktop models and carries a high severity rating due to the potential for information disclosure and privilege escalation attacks.
The vulnerabilities, tracked under CVE identifiers CVE-2025-4421 through CVE-2025-4426, were discovered by the Binarly REsearch team and reported to Lenovo for coordinated disclosure.
These security flaws specifically target the Insyde BIOS firmware used in certain Lenovo desktop computers, creating a pathway for privileged local attackers to access System Management Mode (SMM) and read SMRAM contents.
The most concerning aspect of these vulnerabilities is their potential to allow arbitrary code execution in System Management Mode, which represents one of the most privileged execution environments in modern computer systems.
SMM typically operates with the highest level of system access, making it an attractive target for sophisticated attackers seeking to establish persistent, low-level system compromise.
According to Lenovo’s security assessment, the scope of impact is classified as “Lenovo-specific,” indicating that these particular vulnerabilities are unique to how Lenovo has implemented the Insyde BIOS in its affected products.
While the vulnerabilities require local access with existing privileges, successful exploitation could lead to complete system compromise.
The security advisory specifically identifies several desktop models within Lenovo’s IdeaCentre and Yoga All-In-One product lines.
The IdeaCentre AIO 3 series, including both the 24ARR9 and 27ARR9 models, is among the affected systems with a minimum fixed BIOS version of O6BKT1AA already available for download.
Additionally, three Yoga AIO models face similar vulnerabilities: the Yoga AIO 27IAH10, Yoga AIO 32ILL10, and Yoga AIO 9 32IRH8.
However, for these Yoga models, BIOS updates are still in development with staggered availability dates.
The Yoga AIO 32ILL10 and Yoga AIO 9 32IRH8 are expected to receive their security updates by September 30, 2025, while the Yoga AIO 27IAH10 fix is targeted for November 30, 2025.
Lenovo strongly recommends that users of affected systems immediately check their current BIOS version and update to the specified minimum fixed version where available.
Users can access the necessary updates through Lenovo’s support website by searching for their specific product model and navigating to the Drivers & Software section.
For systems where updates are not yet available, Lenovo advises users to monitor their support pages regularly and apply security updates as soon as they become available.
The company has also provided automated update management tools to streamline the patching process for both PC and enterprise customers.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Lenovo IdeaCentre and Yoga Laptops Exposed to BIOS Vulnerabilities Allowing Arbitrary Code Execution appeared first on Cyber Security News.
Security researchers have identified a new ClickFix social engineering campaign that abuses Windows Terminal to…
Security researchers have uncovered a malicious Chrome extension impersonating the popular cryptocurrency wallet imToken, designed…
Microsoft Defender researchers have warned about malicious browser extensions impersonating AI assistant tools that secretly…
Linux rootkits are becoming more advanced as attackers move beyond old kernel module tricks and…
A newly discovered critical flaw in Nginx UI exposes servers to complete data compromise by…
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Hikvision vulnerability to…
This website uses cookies.