CVE-2025-4424

Vulnerability

Description CVE-2025-4424 is a vulnerability identified in the SetupAutomationSmm component of Insyde firmware code developed specifically for Lenovo systems [1]. The root cause is improper input validation (CWE-20) in a System Management Interrupt (SMI) handler, which allows an attacker to make arbitrary calls to the SmmSetVariable function with unsanitised arguments [1].

Exploitation

Context The vulnerability is exploitable locally with high privileges (AV:L/AC:L/PR:H/UI:N/S:C) [1]. An attacker must already have elevated privileges (e.g., kernel-level access) to invoke the vulnerable SMI handler. No user interaction is required, and the attack complexity is low. The vulnerability does not affect confidentiality but has a high integrity impact.

Impact

Successful exploitation enables an attacker with high privileges to set arbitrary UEFI variables via SmmSetVariable, bypassing integrity checks in System Management Mode (SMM) [1]. This can lead to persistent corruption of firmware settings or compromise of secure boot and other platform security features.

Mitigation

Status Lenovo and Insyde have released advisories; users should apply firmware updates from Lenovo's security portal [1]. The vulnerability is fixed in the latest firmware versions. No workaround is available beyond updating.