Lenovo's all-in-one computers discovered with major security vulnerabilities
Lenovo has announced that urgent firmware updates are planned for several of its all-in-one PC models due to the discovery of six security vulnerabilities. The updates are scheduled to be released between September 30, 2025, and November 30, 2025.
The affected models include the Lenovo Yoga AIO 27IAH10, Yoga AIO 32ILL10, and Yoga AIO 9 32IRH8. The Yoga AIO 32ILL10 and Yoga AIO 9 32IRH8 models are expected to receive their BIOS updates by September 30, 2025, while the Yoga AIO 27IAH10's update is targeted for November 30, 2025.
Firmware, also known as UEFI/BIOS, is the fundamental software for starting and operating a computer, stored on chips on the mainboard. If exploited, these vulnerabilities could potentially allow attackers to gain access to the UEFI before the PC starts, giving them the ability to take complete control of the affected computers.
The vulnerabilities require local administrative access to exploit but could allow attackers to execute arbitrary code or gain complete system control by attacking the system management mode (SMM). Four of the security vulnerabilities in the affected Lenovo PCs are considered critical.
Lenovo advises users to regularly check their support pages for update availability and to apply patches as soon as they are released. Updates can be found on Lenovo’s official support website under the Drivers & Software section. Automated update management tools are also provided to simplify patch installation for both individual and enterprise users.
Meanwhile, BIOS updates for Lenovo's IdeaCentre AIO 3 series models are already available. Firmware updates (O6BKT1AA) for the IdeaCentre AIO 3 models can be downloaded and installed via the Lenovo support page.
It is important to note that malicious code could be stored in the UEFI by attackers who exploit these vulnerabilities. Lenovo emphasizes timely updating to mitigate these risks.
Owners of the affected Yoga models should check Lenovo's support pages regularly for firmware updates. At the moment, no updates have been released for the Yoga AIO 27IAH10, Yoga AIO 32ILL10, and Yoga AIO 9 32IRH8 all-in-one PCs.
For more information, visit Lenovo’s official support website. Stay safe and keep your systems updated.
[1] Lenovo Support - Drivers & Software [2] Lenovo Support - IdeaCentre AIO 3 Series [3] Lenovo Support - Yoga AIO Series [5] Lenovo Security Advisory - CVE-2025-XXX (to be released)
- Lenovo urges users of the Yoga AIO 27IAH10, Yoga AIO 32ILL10, and Yoga AIO 9 32IRH8 all-in-one PCs to stay vigilant for forthcoming firmware updates, as these models are under threat from six security vulnerabilities in their technology.
- To safeguard their computers, Lenovo advises affected Yoga model owners to regularly consult Lenovo's support pages for updates related to their technology, such as the BIOS update scheduled for the Yoga AIO 27IAH10 on November 30, 2025.
