Particle.news

Download on the App Store

Lenovo Patches IdeaCentre Firmware Flaws While Yoga All-in-One PCs Remain Vulnerable

Lenovo’s firmware update closes high-severity UEFI holes that attackers could exploit to stealthily implant persistent malware.

Image
Image
Der Laptop-Hersteller Lenovo warnt aktuell vor Sicherheitslücken bei seinen Produkten. (Symbolbild)
Image

Overview

  • Six UEFI vulnerabilities in Insyde Software-customized firmware are tracked as CVE-2025-4421 through CVE-2025-4426, with three rated high and three medium severity.
  • Firmware O6BKT1AA, released July 31, secures IdeaCentre AIO 3 24ARR9 and 27ARR9 models against the identified flaws.
  • Affected Yoga AIO 32ILL10 and 9 21IRH8 PCs will receive patches on September 30, 2025, followed by an update for Yoga AIO 27IAH10 on November 30, 2025.
  • The flaws allow attackers to exploit System Management Mode to bypass Secure Boot and install malware that persists after operating system reinstalls.
  • Lenovo classifies the issues as high severity due to potential data disclosure and privilege escalation and reports no confirmed in-the-wild exploits.