Lenovo has disclosed high-severity BIOS vulnerabilities affecting certain all-in-one desktops, which could allow attackers to bypass Secure Boot and execute malicious code. Firmware updates are available for some models, but others will receive fixes later this year. #Lenovo #SecureBoot #BIOSVulnerabilities
Keypoints
- Six critical vulnerabilities were identified in Lenovoβs InsydeH2O UEFI firmware, mainly affecting System Management Mode (SMM).
- Exploiting these flaws could enable privilege escalation and stealthy malware installation at firmware level.
- Lenovo confirmed the issues after being notified by Binarly and released firmware updates for some affected models.
- The vulnerabilities stem from OEM-specific customizations and involve unsafe handling of SMI handlers.
- Firmware upgrades are urged to mitigate risks, with plans for fixes for Yoga AIO models scheduled later in 2025.