Particle.news

Download on the App Store

Lenovo Releases Patches to Fix Critical SMM Vulnerabilities in IdeaCentre AIO 3

The patches neutralize customized System Management Mode flaws that can survive operating system reinstalls

Lenovo firmware vulnerability
Image
Image

Overview

  • Researchers identified six UEFI System Management Mode vulnerabilities (CVE-2025-4421 through CVE-2025-4426) with four rated high severity and two medium severity
  • Lenovo issued firmware version O6BKT1AA on July 30 for IdeaCentre AIO 3 24ARR9 and 27ARR9 models and is urging users to install the update immediately
  • Fixes for Yoga AIO 27IAH10, 32ILL10 and 32IRH8 are slated to arrive between September 30 and November 30, 2025, according to Lenovo’s support schedule
  • Exploiting the flaws can bypass SPI flash safeguards and Secure Boot to deploy implants that persist through OS reinstalls and even break hypervisor isolation
  • Insyde’s bulletin confirms the vulnerabilities stem from Lenovo-specific customizations in InsydeH2O UEFI firmware and do not affect all systems using the framework