Lenovo has released a security advisory addressing six critical BIOS vulnerabilities affecting select IdeaCentre and Yoga All-in-One desktops.
The flaws, stemming from custom Insyde firmware modules, can allow local attackers with elevated privileges to execute arbitrary code in System Management Mode (SMM), enabling stealthy firmware implants and bypass of core platform security.
The vulnerabilities were discovered by the Binarly REsearch team, which published a coordinated set of disclosures on July 29, 2025, after a 90-day embargo. The issues, cataloged under CVE-2025-4421 through CVE-2025-4426, affect Lenovo devices using custom InsydeH2O BIOS firmware. Binarly identified the problems using its Deep Vulnerability Analysis (DVA) engine, uncovering unsafe memory operations and logic errors in modules responsible for handling System Management Interrupts (SMIs).
Technical details and impact
The most severe flaws (CVE-2025-4421, -4422, -4423, and -4425) are classified as memory corruption vulnerabilities in the SMM module, enabling arbitrary writes into SMRAM, the protected memory region used by firmware-level handlers. These vulnerabilities, all rated CVSS 8.2 (High), include stack buffer overflows and out-of-bounds writes due to a lack of input validation and attacker-controlled pointers in callback functions registered via EFI_L05_SMM_SW_SMI_INTERFACE_PROTOCOL.
One example, CVE-2025-4422, stems from improper validation in the CallbackFunction logic that processes SMI triggers. Attackers can exploit SMM save state registers (such as RSI or RDI) to redirect memory writes into sensitive regions, effectively hijacking firmware execution.
CVE-2025-4424 allows unsanitized calls to SmmSetVariable(), letting an attacker overwrite protected NVRAM variables, potentially bypassing Secure Boot and locking mechanisms. Similarly, CVE-2025-4426 allows information disclosure by reading from SMRAM and storing its contents in NVRAM variables, exposing critical firmware data.
Lenovo confirmed that multiple models are impacted, including:
- IdeaCentre AIO 3 24ARR9 / 27ARR9 – Fixed in BIOS version O6BKT1AA
- Yoga AIO 9 32IRH8, 27IAH10, 32ILL10 – BIOS updates pending, with estimated release dates between September and November 2025
Lenovo IdeaCentre and Yoga AIO lines are consumer and prosumer desktops sold globally, with Insyde's BIOS firmware powering platform initialization, UEFI services, and runtime system management. The vulnerabilities arise from vendor-specific extensions developed by Insyde for Lenovo, not part of InsydeH2O's general release code.
Exploitation requires local system access with administrative privileges (ring 0), allowing a malicious actor to escalate to ring -2 (SMM), a highly privileged execution mode that is isolated from the OS. Arbitrary code execution in SMM enables attackers to persist stealthy malware implants that survive OS reinstallation, bypass protections such as Secure Boot, Kernel DMA Protection, and hypervisor memory isolation, and disable firmware write protections, modifying SPI flash contents.
These threats pose a significant risk to system integrity, especially in scenarios involving targeted attacks or supply chain compromise.
Lenovo users are strongly advised to check for BIOS updates via the official support portal, matching their product's machine type and updating to the minimum fixed version listed in the advisory.
These newly disclosed Lenovo BIOS flaws closely mirror recent vulnerabilities found in Gigabyte motherboards, where similar unchecked register usage in SMM handlers led to SMRAM corruption and persistent firmware compromise. As with the Gigabyte case, also uncovered by Binarly, the root cause lies in insecure SMM callback logic that allows attackers to hijack critical firmware functionality and bypass UEFI protections like Secure Boot.
Leave a Reply