Particle.news
Download on the App Store
4 ARTICLES
·
4w ago

Lenovo Patches IdeaCentre PCs as Yoga All-in-Ones Remain Vulnerable

Attackers can implant undetectable malware in System Management Mode, bypass Secure Boot; Yoga All-in-One PCs will receive firmware updates in September, followed by November.

Image
Image
Image
Der Laptop-Hersteller Lenovo warnt aktuell vor Sicherheitslücken bei seinen Produkten. (Symbolbild)

Overview

  • Binarly researchers disclosed six UEFI vulnerabilities (CVE-2025-4421 to CVE-2025-4426) in Lenovo IdeaCentre and Yoga All-in-One PCs in April, with four rated high severity and two medium.
  • Lenovo has released UEFI firmware O6BKT1AA for the IdeaCentre AIO 3 24ARR9 and 27ARR9 models, addressing the reported flaws on those devices.
  • Yoga AIO 27IAH10, 32ILL10 and 9 32IRH8 systems remain unpatched and are scheduled to receive updates on September 30 and November 30, 2025, respectively.
  • The vulnerabilities reside in customized UEFI firmware by Insyde Software and permit attackers to implant persistent malware in System Management Mode that can survive operating-system reinstalls and potentially bypass Secure Boot.
  • It remains unclear if the flaws have been exploited in the wild and administrators currently lack reliable detection tools for compromised firmware.