Critical security flaws found in Lenovo AIO PCs! What to do if affected

Lenovo has discovered several critical BIOS security vulnerabilities in its IdeaCentre and Yoga All-In-One desktop computers. The vulnerabilities, labeled CVE-2025-4421 to CVE-2025-4426, allow local attackers to execute malicious code in the System Management Mode (SMM), which is a higher authorization level than the kernel level. The affected models include the Lenovo IdeaCentre AIO 3 24ARR9, Lenovo IdeaCentre AIO 3 27ARR9, Lenovo Yoga AIO 27IAH10, Lenovo Yoga AIO 32ILL10, and Lenovo Yoga AIO 9 32IRH8. The vulnerabilities are present in the Insyde BIOS firmware, which is not provided by Lenovo itself. Lenovo is working on providing patches for the security flaws, but they are currently only available for the two IdeaCentre models. Owners of vulnerable Lenovo Yoga AIO desktops will likely have to wait until September for the corresponding updates. Users can download and install the latest BIOS version for their affected device from Lenovo's support website or use the company's update management tool. Additionally, users should ensure their PC is still secure and use a reliable antivirus program to reduce the risk of an attack if their device cannot yet be patched.