Overview
- Six UEFI vulnerabilities in Insyde Software-customized firmware are tracked as CVE-2025-4421 through CVE-2025-4426, with three rated high and three medium severity.
- Firmware O6BKT1AA, released July 31, secures IdeaCentre AIO 3 24ARR9 and 27ARR9 models against the identified flaws.
- Affected Yoga AIO 32ILL10 and 9 21IRH8 PCs will receive patches on September 30, 2025, followed by an update for Yoga AIO 27IAH10 on November 30, 2025.
- The flaws allow attackers to exploit System Management Mode to bypass Secure Boot and install malware that persists after operating system reinstalls.
- Lenovo classifies the issues as high severity due to potential data disclosure and privilege escalation and reports no confirmed in-the-wild exploits.