Lenovo has released a critical security advisory addressing six newly discovered vulnerabilities in Insyde BIOS firmware that could potentially allow attackers to gain unauthorized access to sensitive system areas and execute malicious code.
The advisory, designated LEN-201013, affects several popular IdeaCentre and Yoga All-In-One desktop models and carries a high severity rating due to the potential for information disclosure and privilege escalation attacks.
Critical Security Flaws Discovered in Lenovo Systems
The vulnerabilities, tracked under CVE identifiers CVE-2025-4421 through CVE-2025-4426, were discovered by the Binarly REsearch team and reported to Lenovo for coordinated disclosure.
These security flaws specifically target the Insyde BIOS firmware used in certain Lenovo desktop computers, creating a pathway for privileged local attackers to access System Management Mode (SMM) and read SMRAM contents.
The most concerning aspect of these vulnerabilities is their potential to allow arbitrary code execution in System Management Mode, which represents one of the most privileged execution environments in modern computer systems.
SMM typically operates with the highest level of system access, making it an attractive target for sophisticated attackers seeking to establish persistent, low-level system compromise.
According to Lenovo’s security assessment, the scope of impact is classified as “Lenovo-specific,” indicating that these particular vulnerabilities are unique to how Lenovo has implemented the Insyde BIOS in its affected products.
While the vulnerabilities require local access with existing privileges, successful exploitation could lead to complete system compromise.
Affected Products and Technical Details
The security advisory specifically identifies several desktop models within Lenovo’s IdeaCentre and Yoga All-In-One product lines.
The IdeaCentre AIO 3 series, including both the 24ARR9 and 27ARR9 models, is among the affected systems with a minimum fixed BIOS version of O6BKT1AA already available for download.
Additionally, three Yoga AIO models face similar vulnerabilities: the Yoga AIO 27IAH10, Yoga AIO 32ILL10, and Yoga AIO 9 32IRH8.
However, for these Yoga models, BIOS updates are still in development with staggered availability dates.
The Yoga AIO 32ILL10 and Yoga AIO 9 32IRH8 are expected to receive their security updates by September 30, 2025, while the Yoga AIO 27IAH10 fix is targeted for November 30, 2025.
Recommended Actions and Timeline
Lenovo strongly recommends that users of affected systems immediately check their current BIOS version and update to the specified minimum fixed version where available.
Users can access the necessary updates through Lenovo’s support website by searching for their specific product model and navigating to the Drivers & Software section.
For systems where updates are not yet available, Lenovo advises users to monitor their support pages regularly and apply security updates as soon as they become available.
The company has also provided automated update management tools to streamline the patching process for both PC and enterprise customers.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The advisory, designated LEN-201013, affects several popular IdeaCentre and Yoga All-In-One desktop models){kind=link}