Several models are affected, but a patch is already available.
Lenovo has discovered multiple vulnerabilities in the BIOS of IdeaCentre and Yoga AIO desktops. According to the manufacturer, local attackers can exploit these to execute malicious code in System Management Mode (SMM), writes PCWorld.
Difficult to Remove Malware
Since SMM access is hard to detect and remove, even a full reinstallation of Windows is not enough to eliminate malware. This makes these vulnerabilities particularly risky. The issues (CVE-2025-4421 to CVE-2025-4426) were reported by security researchers, and four of them received a high severity score.
Affected Models
According to Lenovo, the following models are among those vulnerable:
- IdeaCentre AIO 3 24ARR9
- IdeaCentre AIO 3 27ARR9
- Yoga AIO 27IAH10
- Yoga AIO 32ILL10
- Yoga AIO 9 32IRH8
The vulnerability is in the Insyde BIOS firmware, which is used by Lenovo but developed by Taiwanese company Insyde. Other brands do not appear to use this firmware.
Updates and Advice
Lenovo has released patches for the IdeaCentre models. Updates for the affected Yoga AIOs are expected to follow in September.
Users are advised to look up their model on the Lenovo support site, download the latest BIOS version, and install it manually. Those already using Lenovo’s update tool can download the patch there. Until the updates are available, Lenovo recommends staying extra vigilant and using reliable antivirus software.