Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code
Critical vulnerabilities in Lenovo’s IdeaCentre and Yoga All-In-One systems could allow privileged local attackers to execute arbitrary code and access sensitive system information.
The vulnerabilities affect InsydeH2O BIOS implementations used in specific Lenovo desktop and all-in-one computer models, with CVSS scores ranging from 6.0 to 8.2, indicating high severity risks.
Key Takeaways
1. Six BIOS vulnerabilities let attackers execute malicious code on Lenovo systems.
2. Affects Lenovo IdeaCentre and Yoga All-In-One desktops.
3. BIOS patches available, Yoga fixes coming soon.
Critical SMM Vulnerabilities
The security flaws center around System Management Mode (SMM) vulnerabilities that could grant attackers unprecedented access to system resources.
Six distinct Common Vulnerabilities and Exposures (CVE) identifiers have been assigned to these issues, each carrying the maximum CVSS score of 8.2.
CVE-2025-4421 is a memory corruption in SMM’s CPU protocol service that allows attackers to write data beyond allocated memory boundaries, potentially overwriting critical system code.
Out-of-bounds write vulnerability CVE-2025-4422 in SMM’s platform configuration database protocol, enabling attackers to corrupt memory and execute malicious code.
Additionally, buffer overflow CVE-2025-4423 in the setup automation module lets attackers inject and execute arbitrary code within the highly privileged SMM environment.
Input validation flaw CVE-2025-4424 allows attackers to make unauthorized calls to system variable functions with malicious parameters, potentially altering system configuration.
Stack-based buffer overflow CVE-2025-4425 in system interrupt handlers that can be exploited to overwrite return addresses and execute attacker-controlled code.
Information disclosure vulnerability CVE-2025-4426 that leaks sensitive data from protected system management memory (SMRAM) to unauthorized processes.
All vulnerabilities require high privileges (local admin access) to exploit, but can lead to complete system compromise once executed.
The BINARLY Research team, credited with discovering these vulnerabilities through coordinated disclosure, emphasizes the critical nature of these SMM-level security flaws.
| CVE ID | Title | CVSS 3.1 Score | Severity |
| CVE-2025-4421 | SMM CPU Protocol Memory Corruption | 8.2 | High |
| CVE-2025-4422 | SMM PCD Protocol Memory Corruption | 8.2 | High |
| CVE-2025-4423 | SetupAutomationSmm Arbitrary Code Execution | 8.2 | High |
| CVE-2025-4424 | SMI Handler Input Validation Bypass | 6.0 | Medium |
| CVE-2025-4425 | SMI Handler Stack Overflow | 8.2 | High |
| CVE-2025-4426 | SMRAM Information Disclosure | 6.0 | Medium |
Affected Products
The vulnerabilities impact several Lenovo product lines, including IdeaCentre AIO 3 24ARR9 and 27ARR9 models, as well as multiple Yoga AIO systems, including the 27IAH10, 32ILL10, and 9 32IRH8 variants.
The security issues specifically affect the EfiSmiServices components, including gEfiSmmCpuProtocol and EfiPcdProtocol implementations within the SMM modules.
Lenovo has released BIOS version L05.05.40.011803.172079 to address these vulnerabilities in affected IdeaCentre models, with the minimum fixed version O6BKT1AA now available for download.
However, remediation timelines for Yoga AIO systems extend through late 2025, with fixes scheduled for September 30, 2025 (Yoga AIO 32ILL10 and 9 32IRH8) and November 30, 2025 (Yoga AIO 27IAH10).
Users should immediately update their systems through Lenovo’s support portal and enable automatic update mechanisms where available.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
