Overview
- Researchers identified six UEFI System Management Mode vulnerabilities (CVE-2025-4421 through CVE-2025-4426) with four rated high severity and two medium severity
- Lenovo issued firmware version O6BKT1AA on July 30 for IdeaCentre AIO 3 24ARR9 and 27ARR9 models and is urging users to install the update immediately
- Fixes for Yoga AIO 27IAH10, 32ILL10 and 32IRH8 are slated to arrive between September 30 and November 30, 2025, according to Lenovo’s support schedule
- Exploiting the flaws can bypass SPI flash safeguards and Secure Boot to deploy implants that persist through OS reinstalls and even break hypervisor isolation
- Insyde’s bulletin confirms the vulnerabilities stem from Lenovo-specific customizations in InsydeH2O UEFI firmware and do not affect all systems using the framework