Wednesday, April 9, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityLenovo Several High-Severity BIOS Vulnerabilities Impacts Hundreds of Devices

Lenovo Several High-Severity BIOS Vulnerabilities Impacts Hundreds of Devices

CVE/vulnerabilityCyber Security News

Published on

By Gurubaran
Lenovo BIOS Vulnerabilities

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Recently, Lenovo’s new BIOS updates fixes the high-severity vulnerabilities impacting hundreds of devices in several models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).

The potential impact may include Information disclosure, privilege escalation and denial of service.

The List of Vulnerabilities Includes:

  • CVE-2021-28216 – Fixed pointer vulnerability in TianoCore EDK II BIOS that allow an attacker with local access and elevated privileges to execute arbitrary code. TianoCore EDK II is the foundational open source UEFI (BIOS) code used throughout industry in all modern computers.
  • CVE-2022-40134 – Information leak vulnerability found in the SMI Set BIOS Password SMI Handler, allow an attacker with local access and elevated privileges to read SMM memory.
  • CVE-2022-40135 – Information leak vulnerability in the Smart USB Protection SMI Handler, allow an attacker with local access and elevated privileges to read SMM memory.
  • CVE-2022-40136 – Information leak vulnerability in SMI Handler used to configure platform settings over WMI in some Lenovo models, allow an attacker with local access and elevated privileges to read SMM memory.
  • CVE-2022-40137 – Buffer overflow in the WMI SMI Handler, allow an attacker with local access and elevated privileges to execute arbitrary code.

American Megatrends security enhancements (AMI), no CVE available.

- Advertisement - Google News

To Download the Latest Version:

  • Search for your product by name or machine type.
  • Click Drivers & Software on the left menu panel.
  • Click on Manual Update.

Recommendation

According to the Lenovo’s security advisory, “Update system firmware to the version (or newer) indicated for your model”.

The company has fixed the issues in the new BIOS updates for impacted products. Remaining fixes are expected by the end of September and October and few models may receive patches in the upcoming year.

The complete list of the impacted computer models and the BIOS firmware version that addresses the vulnerabilities are included in the ‘Security Advisory’, with links to the download portal for each model.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CVE/vulnerability

Windows CLFS 0-Day Vulnerability Exploited in the Wild

Microsoft has disclosed an active exploitation of a zero-day vulnerability in the Windows Common...
CVE/vulnerability

Kibana Releases Security Patch to Fix Code Injection Vulnerability

Elastic, the company behind Kibana, has released critical security updates to address a high-severity...
CVE/vulnerability

AWS Systems Manager Plugin Flaw Allows Arbitrary Code Execution

A recently discovered vulnerability in the AWS Systems Manager (SSM) Agent, a cornerstone of...
Cyber Security News

Microsoft April 2025 Patch Tuesday: Fixing 121 Vulnerabilities, Including a Critical Zero-Day

Microsoft has rolled out its April 2025 Patch Tuesday update, addressing 121 security vulnerabilities...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

CVE/vulnerability

Windows CLFS 0-Day Vulnerability Exploited in the Wild

Microsoft has disclosed an active exploitation of a zero-day vulnerability in the Windows Common...
CVE/vulnerability

Kibana Releases Security Patch to Fix Code Injection Vulnerability

Elastic, the company behind Kibana, has released critical security updates to address a high-severity...
CVE/vulnerability

AWS Systems Manager Plugin Flaw Allows Arbitrary Code Execution

A recently discovered vulnerability in the AWS Systems Manager (SSM) Agent, a cornerstone of...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved