Lenovo devices are impacted by multiple security vulnerabilities, including those that could enable attackers to install persistent implants on targeted systems, according to a report released Tuesday by firmware security and supply chain risk management firm Binarly.
Binarly identified six vulnerabilities in Lenovo all-in-one desktop models, particularly within the System Management Mode (SMM), which is a specialized operating mode used for low-level system tasks.
SMM operates before the main operating system and remains intact even after the system is reinstalled. This makes it an attractive target for threat actors who want to bypass Secure Boot, the mechanism responsible for ensuring only trusted software loads during startup, and plant undetectable malware.
The vulnerabilities are listed under the CVE identifiers CVE20254421 through CVE20254426. Four of these are rated as high severity, while the remaining two are considered medium severity.
The high-severity vulnerabilities are related to memory corruption, which could allow attackers to escalate privileges and execute arbitrary code within SMM. The medium-severity issues involve risks such as information leaks and the ability to bypass existing security controls.
If attackers gain access to a vulnerable Lenovo device, they could exploit these flaws to circumvent SPI flash protections and Secure Boot, install implants that persist even after the operating system is reinstalled, and compromise hypervisor isolation.
Binarly reported the vulnerabilities to Lenovo in April, and Lenovo verified the issues in June. The company has since released patches and mitigation tools.
Both Lenovo and Binarly are expected to issue detailed security advisories on Tuesday outlining the discovered vulnerabilities. Binarly also recently identified SMM-related flaws in Gigabyte firmware. Furthermore, the company demonstrated last month how insecure UEFI firmware from DTResearch, a manufacturer of rugged computing devices, could be exploited to bypass Secure Boot protections on various systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
