Lenovo has released a security advisory regarding significant vulnerabilities found in the Insyde BIOS firmware used in certain IdeaCentre and Yoga All-In-One products.
These vulnerabilities, tracked as CVE-2025-4421 through CVE-2025-4426, could potentially allow a privileged local attacker to read sensitive contents in System Management RAM (SMRAM) or execute arbitrary code within System Management Mode (SMM).
Lenovo strongly recommends users and organizations take immediate action to update affected devices due to the high severity of these issues. The vulnerabilities impact specific Lenovo models equipped with Insyde BIOS firmware. The affected devices include:
- IdeaCentre AIO 3 24ARR9 and 27ARR9
- Yoga All-In-One models including:
- Yoga AIO 27IAH10
- Yoga AIO 32ILL10
- Yoga AIO 9 32IRH8
For these devices, Lenovo has released BIOS updates that address the vulnerabilities. The updates vary by model, and users are advised to verify their current BIOS version and apply the latest patches as soon as possible.
Users should visit Lenovo’s official support site at support.lenovo.com, or for IBM-branded products: ibm.com/support/fixcentral/, then search for your specific model, compare your current BIOS version (you can obtain from Start >> search “System Information”) with the latest available, and if needed follow the instructions provided to perform the update. Lenovo also offers tools to assist with BIOS management, simplifying the process.
- For the IdeaCentre AIO 3 24ARR9 and 27ARR9, the fixed BIOS version is O6BKT1AA.
- For Yoga AIO models, updates are targeted for release.
Regularly check the support site for the latest firmware versions and update instructions.
For organizations and sensitive data environments, regularly monitoring official support channels for updates and advisories, and ensuring your systems are running the latest firmware versions are crucial to protecting devices.
For further details and ongoing updates, check out the official advisory notice.
Leave a Reply