Lenovo, one of the most popular computer manufacturers in the world, just announced that many of its laptops and desktops need immediate BIOS updates to secure them from serious security vulnerabilities. Six flaws have been found; however, none have been reported as being actively exploited thus far.
Lenovo lists the affected models, which range from desktops and all-in-ones to laptops and even servers. Models include several IdeaCentre, ThinkCentre, ThinkStation, ThinkSystem, Legion, M-series, V-series, and Yoga desktops and all-in-ones. A large number of laptops are affected as well, including IdeaPad, ThinkPad, ThinkBook, Legion, Yoga, and Flex models.
There are hundreds of computer models affected and everyone that owns a Lenovo laptop, desktop, or server should check if their model is on the list.
The vulnerabilities could lead to elevated privileges for attackers, unauthorized access to data, denial of service, and even arbitrary code execution. Not every model is affected by every bug listed but Lenovo didn’t itemize by model. The full CVE list shows 5 vulnerabilities: CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, and CVE-2022-40137. American Megatrends released security enhancements for its AMI BIOS, which is used by Lenovo, but there isn’t a CVE available for this vulnerability.
Lenovo provided links to download the required updates. For Lenovo Products, search for your model on Lenovo’s support page, and for IBM-branded products, search IBM’s Fix Central page. Lenovo also has a tutorial page with specific instructions for each model if you need further help.
BleepingComputer first spotted Lenovo’s important BIOS update. Make sure to check if your Lenovo laptop, computer, or server is affected and update as soon as possible to keep your data, network, and computer secure.
