heise PlusAbo
Anzeige

Security updates: UEFI security vulnerabilities jeopardize Lenovo All-in-One PCs

Various Lenovo All-in-One PC models are vulnerable. The description of the vulnerabilities suggests that Secure Boot can be bypassed.

listen Print view
A symbolic sign reminds you to install updates

(Image: Artur Szczybylo/Shutterstock.com)

2 min. read
Security
By

Due to several UEFI vulnerabilities, attackers can attack certain Lenovo All-in-One PC models from the IdeaCentre and Yoga series. In the worst case, they can bypass security mechanisms and completely compromise users' systems with malicious code without being noticed. Not all secure UEFI versions have been released yet.

According to an article, the vulnerabilities (CVE-2025-4421“high,” CVE-2025-4422 “high,” CVE-2025-4423 “high,” CVE-2025-4424 “medium,” CVE-2025-4425 "medium," CVE-2025-4426 “medium”) can be found in some UEFI versions customized by Insyde Software for certain Lenovo PCs. As a result, not all UEFI editions of Insyde Software are vulnerable. The vulnerabilities are similar to those recently patched by Gigabyte in some UEFI firmwares.

By triggering memory errors, attackers can gain access to the system management mode (SMM) in the UEFI context. At this point, attackers can place malicious code even before an operating system is started and thus gain full control over computers.

The description of the vulnerabilities reads as if attackers could use this method to bypass the Secure Boot security mechanism. Among other things, this ensures that a computer recognizes operating systems manipulated with malicious code and does not start. In such a case, malicious code would remain undetected, and victims would work with a compromised system without realizing it.

Not all patches have been released yet

Security researchers from Binarly discovered the gaps. They claim to have informed Lenovo about them at the beginning of April 2025. The computer manufacturer has since issued a warning about the security vulnerabilities.

Videos by heise

Specifically, the following models are affected:

  • IdeaCentre AIO 3 24ARR9
  • IdeaCentre AIO 3 27ARR9
  • Yoga AIO 27IAH10
  • Yoga AIO 32ILL10
  • Yoga AIO 9 21IRH8

The UEFI firmware O6BKT1AA is secured for the vulnerable IdeaCentre models. The Yoga PCs mentioned remain vulnerable. The security updates are scheduled to be released on September 30 (Yoga AIO 32ILL10, Yoga AIO 9 21IRH8) and November 30, 2025 (Yoga AIO 27IAH10). It is not yet clear whether there are already attacks and how admins can recognize attacked computers.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten