Critical BIOS Flaws in Lenovo Desktops Expose SMM to Privilege Escalation
Researchers at Binarly have uncovered six critical vulnerabilities in BIOS firmware developed by Insyde Software and deployed in Lenovo desktop systems, particularly within the IdeaCentre AIO 3 and Yoga AIO product lines. All of these flaws are rooted in the System Management Mode (SMM), a specialized processor mode that operates with even higher privileges than the operating system kernel.
SMM functions at ring -2—an execution layer beyond the reach of conventional applications, drivers, and even hypervisors. This mode is reserved for performing critical low-level operations such as power management, hardware component control, OEM-specific functionality, and other tasks that require full isolation from the primary software stack.
According to Lenovo, several BIOS versions based on Insyde firmware are vulnerable to attacks in which a threat actor, already possessing kernel-level (ring 0) privileges, can access the protected System Management RAM (SMRAM). From this memory region, an attacker could not only extract sensitive information but also inject arbitrary code that would execute within SMM—an execution environment completely invisible and inaccessible to antivirus software, integrity checkers, and other security solutions.
Four of the six vulnerabilities received a high severity score of 8.2 on the CVSS scale, while the remaining two were rated at 6.0, indicating a moderate risk. Collectively, these flaws pose a significant threat to system integrity, as successful exploitation would allow malicious code to be implanted directly into the firmware—bypassing all operating system defenses and persisting even after a complete OS reinstallation or disk reformatting.
Although exploitation requires local access and elevated privileges, analysts warn that these vulnerabilities are particularly dangerous in multi-stage attack chains, where adversaries first compromise the system and then entrench themselves at the platform firmware level.
Lenovo was notified of the vulnerabilities by the Binarly team on April 8, 2025. The vendor has already released firmware updates for some affected devices, including certain Yoga AIO configurations. Additional patches are expected to be rolled out between September and November 2025.
The manufacturer strongly urges all owners of affected models to update their BIOS to the latest version as soon as possible to prevent potential system compromise at a level beyond the reach of traditional operating system protections.
