Lenovo issues urgent BIOS updates for high-severity vulnerabilities

• The vulnerabilities affect certain IdeaCentre AIO 3 and Yoga AIO all-in-one desktop computers.
• While BIOS fixes for some Yoga AIO models aren’t expected until between September and November 2025, many others have updates already released.
• The main risk: a privileged local attacker could exploit these flaws to read protected memory contents or even execute arbitrary code within System Management Mode.

Lenovo has addressed a set of critical BIOS vulnerabilities that put millions of devices at risk, releasing urgent firmware updates for multiple system models.

As of July 2025, while many updates are available, some models remain pending fixes, and Lenovo is actively communicating these risks to users.

The weaknesses were discovered in specific BIOS versions provided by Insyde Software, a major supplier of system firmware. According to Lenovo, these vulnerabilities affect certain IdeaCentre AIO 3 and Yoga AIO all-in-one desktop computers.

The main risk: a privileged local attacker could exploit these flaws to read protected memory contents or even execute arbitrary code within System Management Mode (SMM).

Six separate issues

SMM is a specialised operating mode running with exceptionally high privileges—beyond even the operating system (ring -2)—giving it the ability to halt virtually all other software on the system.

SMM is responsible for handling power management, direct hardware control, and various OEM-implemented low-level operations. As such, vulnerabilities in this area can have serious, far-reaching impact.

The vulnerabilities, first disclosed by the Binarly Research team in April 2025, comprise six separate issues: four rated as high severity (8.2/10 on the CVSS scale) and two rated as medium (6/10).

Successfully exploiting these flaws would let an attacker with existing local, high-level privileges escalate from kernel-level access (ring 0) to system management mode (ring -2), potentially exposing sensitive firmware memory (SMRAM) and allowing malicious code execution in this privileged context.

A powerful reminder

Such deep-level access could enable attackers to install persistent threats—malicious firmware capable of surviving a full wipe and OS reinstall, completely bypassing most conventional security defenses. However, exploiting these bugs is not trivial and would require the attacker to have pre-existing high-level (kernel) system access.

Lenovo’s official guidance is clear: users should check for the latest available BIOS updates for their affected systems and apply them as soon as possible.

While BIOS fixes for some Yoga AIO models aren’t expected until between September and November 2025, many others have updates already released. For maximum protection, keeping system firmware current is essential.

This situation is a powerful reminder of how critical firmware security—and timely patching—has become in today’s computing landscape. Staying up to date with vendor advisories and recommended security practices remains the surest way to protect against these evolving risks.