Vulnerabilites related to Insyde Software - InsydeH2O
CVE-2025-4410 (GCVE-0-2025-4410)
Vulnerability from cvelistv5
Published
2025-08-13 01:49
Modified
2025-08-14 05:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A buffer overflow vulnerability exists in the module SetupUtility. An attacker with local privileged access can exploit this vulnerability by executeing arbitrary code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: See in the Reference link < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T13:16:19.518373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:21:15.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"See in the Reference link"
],
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"status": "affected",
"version": "See in the Reference link",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-13T01:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A buffer overflow vulnerability exists in the module SetupUtility. An attacker with local privileged access can exploit this vulnerability by executeing arbitrary code."
}
],
"value": "A buffer overflow vulnerability exists in the module SetupUtility. An attacker with local privileged access can exploit this vulnerability by executeing arbitrary code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:53:21.108Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025005/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Intel Mobil Platforms:\u003cbr\u003e\u003cbr\u003ePantherLake: Version 05.71.04.0012 \u003cbr\u003eLunarLake: Version 05.62.21.0033\u003cbr\u003eArrowLake H/U: Version 05.55.17.0017\u003cbr\u003eArrowLake S/HX: Version 05.55.17.0028\u003cbr\u003eMeteorLake: Version 05.55.17.0036\u003cbr\u003eRapterLake: Version 05.47.21.0055\u003cbr\u003eTwinLake: Version 05.44.45.0027\u003cbr\u003e\u003cbr\u003eIntel Server/Embedded Platforms:\u003cbr\u003e\u003cbr\u003ePurley: Version 05.21.51.0064\u003cbr\u003eWhitley: Version 05.42.23.0078\u003cbr\u003eCedarIsland: Version 05.42.11.0031\u003cbr\u003eEagle Stream: Version 05.47.31.1049\u003cbr\u003eBirch Stream: Version 05.62.16.0082\u003cbr\u003eMehlow: Version 05.23.04.0054\u003cbr\u003eTatlow: Version 05.42.52.0029\u003cbr\u003eJacobsville: (Not Affected)\u003cbr\u003eHarrisonville: (Not Affected)\u003cbr\u003eIdaville: Version 05.47.21.0067\u003cbr\u003eWhiskeyLake: Version 05.23.45.0032\u003cbr\u003eCometLake-S: Version 05.34.19.0050\u003cbr\u003eTigerLake UP3/H: Version 05.43.12.0062\u003cbr\u003eAlderLake: Version 05.47.21.2055\u003cbr\u003eGemini Lake: (Not Affected)\u003cbr\u003eElkhartLake: Version 05.47.21.0028\u003cbr\u003eAlder Lake N: Version 05.47.21.0013\u003cbr\u003eAmstonLake: Version 05.47.21.0008\u003cbr\u003e"
}
],
"value": "Intel Mobil Platforms:\n\nPantherLake: Version 05.71.04.0012 \nLunarLake: Version 05.62.21.0033\nArrowLake H/U: Version 05.55.17.0017\nArrowLake S/HX: Version 05.55.17.0028\nMeteorLake: Version 05.55.17.0036\nRapterLake: Version 05.47.21.0055\nTwinLake: Version 05.44.45.0027\n\nIntel Server/Embedded Platforms:\n\nPurley: Version 05.21.51.0064\nWhitley: Version 05.42.23.0078\nCedarIsland: Version 05.42.11.0031\nEagle Stream: Version 05.47.31.1049\nBirch Stream: Version 05.62.16.0082\nMehlow: Version 05.23.04.0054\nTatlow: Version 05.42.52.0029\nJacobsville: (Not Affected)\nHarrisonville: (Not Affected)\nIdaville: Version 05.47.21.0067\nWhiskeyLake: Version 05.23.45.0032\nCometLake-S: Version 05.34.19.0050\nTigerLake UP3/H: Version 05.43.12.0062\nAlderLake: Version 05.47.21.2055\nGemini Lake: (Not Affected)\nElkhartLake: Version 05.47.21.0028\nAlder Lake N: Version 05.47.21.0013\nAmstonLake: Version 05.47.21.0008"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SetupUtility: A buffer overflow vulnerability leads to arbitrary code execution.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4410",
"datePublished": "2025-08-13T01:49:47.629Z",
"dateReserved": "2025-05-07T06:45:13.610Z",
"dateUpdated": "2025-08-14T05:53:21.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4422 (GCVE-0-2025-4422)
Vulnerability from cvelistv5
Published
2025-07-30 00:40
Modified
2025-08-14 05:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Out-of-bounds Write
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:23:08.065387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:50:12.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:57:12.813Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "EfiSmiServices : EfiPcdProtocol, SMM memory corruption vulnerabilities in SMM module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4422",
"datePublished": "2025-07-30T00:40:47.816Z",
"dateReserved": "2025-05-08T03:44:55.188Z",
"dateUpdated": "2025-08-14T05:57:12.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4426 (GCVE-0-2025-4426)
Vulnerability from cvelistv5
Published
2025-07-30 00:46
Modified
2025-08-14 05:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:53:39.417776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T13:58:28.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:55:19.842Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SetupAutomationSmm : SMRAM memory contents leak / information disclosure vulnerability in SMM module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4426",
"datePublished": "2025-07-30T00:46:27.918Z",
"dateReserved": "2025-05-08T03:45:01.916Z",
"dateUpdated": "2025-08-14T05:55:19.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4424 (GCVE-0-2025-4424)
Vulnerability from cvelistv5
Published
2025-07-30 00:43
Modified
2025-08-14 05:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:22:57.190859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:49:46.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:56:42.244Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SetupAutomationSmm : Arbitrary calls to SmmSetVariable with unsanitised arguments in SMI handler",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4424",
"datePublished": "2025-07-30T00:43:53.891Z",
"dateReserved": "2025-05-08T03:44:58.462Z",
"dateUpdated": "2025-08-14T05:56:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4423 (GCVE-0-2025-4423)
Vulnerability from cvelistv5
Published
2025-07-30 00:42
Modified
2025-08-14 05:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:23:02.618163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:50:01.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:56:57.880Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SetupAutomationSmm:Vulnerability in the SMM module allow attacker to write arbitrary code and lead to memory corruption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4423",
"datePublished": "2025-07-30T00:42:01.874Z",
"dateReserved": "2025-05-08T03:44:57.075Z",
"dateUpdated": "2025-08-14T05:56:57.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4277 (GCVE-0-2025-4277)
Vulnerability from cvelistv5
Published
2025-08-13 01:46
Modified
2025-08-14 05:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Kernel 5.2 < 05.2A.21 Version: Kernel 5.3 < 05.39.21 Version: Kernel 5.4 < 05.47.21 Version: Kernel 5.5 < 05.55.21 Version: Kernel 5.6 < 05.62.21 Version: Kernel 5.7 < 05.71.21 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T13:21:46.313983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:21:57.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "05.2A.21",
"status": "affected",
"version": "Kernel 5.2",
"versionType": "custom"
},
{
"lessThan": "05.39.21",
"status": "affected",
"version": "Kernel 5.3",
"versionType": "custom"
},
{
"lessThan": "05.47.21",
"status": "affected",
"version": "Kernel 5.4",
"versionType": "custom"
},
{
"lessThan": "05.55.21",
"status": "affected",
"version": "Kernel 5.5",
"versionType": "custom"
},
{
"lessThan": "05.62.21",
"status": "affected",
"version": "Kernel 5.6",
"versionType": "custom"
},
{
"lessThan": "05.71.21",
"status": "affected",
"version": "Kernel 5.7",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-13T01:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level."
}
],
"value": "Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:54:24.230Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025005/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Kernel 5.2, Version 05.2A.21\u003cbr\u003eKernel 5.3, Version 05.39.21\u003cbr\u003eKernel 5.4, Version 05.47.21\u003cbr\u003eKernel 5.5, Version 05.55.21\u003cbr\u003eKernel 5.6, Version 05.62.21\u003cbr\u003eKernel 5.7, Version 05.71.21\u003cbr\u003e"
}
],
"value": "Kernel 5.2, Version 05.2A.21\nKernel 5.3, Version 05.39.21\nKernel 5.4, Version 05.47.21\nKernel 5.5, Version 05.55.21\nKernel 5.6, Version 05.62.21\nKernel 5.7, Version 05.71.21"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Tcg2Smm: improper input validation may lead to arbitrary code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4277",
"datePublished": "2025-08-13T01:46:22.998Z",
"dateReserved": "2025-05-05T02:10:48.657Z",
"dateUpdated": "2025-08-14T05:54:24.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4276 (GCVE-0-2025-4276)
Vulnerability from cvelistv5
Published
2025-08-13 01:41
Modified
2025-08-14 05:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Kernel 5.3 < 05.39.18 Version: Kernel 5.4 < 05.47.18 Version: Kernel 5.5 < 05.55.18 Version: Kernel 5.6 < 05.62.18 Version: Kernel 5.7 < 05.71.18 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T13:22:18.366591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:22:28.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "05.39.18",
"status": "affected",
"version": "Kernel 5.3",
"versionType": "custom"
},
{
"lessThan": "05.47.18",
"status": "affected",
"version": "Kernel 5.4",
"versionType": "custom"
},
{
"lessThan": "05.55.18",
"status": "affected",
"version": "Kernel 5.5",
"versionType": "custom"
},
{
"lessThan": "05.62.18",
"status": "affected",
"version": "Kernel 5.6",
"versionType": "custom"
},
{
"lessThan": "05.71.18",
"status": "affected",
"version": "Kernel 5.7",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-13T01:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level."
}
],
"value": "UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:54:07.744Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025005/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Kernel 5.3 : Version Tag 05.39.18 \u003cbr\u003eKernel 5.4 : Version Tag 05.47.18 \u003cbr\u003eKernel 5.5 : Version Tag 05.55.18 \u003cbr\u003eKernel 5.6 : Version Tag 05.62.18 \u003cbr\u003eKernel 5.7 : Version Tag 05.71.18\u003cbr\u003e"
}
],
"value": "Kernel 5.3 : Version Tag 05.39.18 \nKernel 5.4 : Version Tag 05.47.18 \nKernel 5.5 : Version Tag 05.55.18 \nKernel 5.6 : Version Tag 05.62.18 \nKernel 5.7 : Version Tag 05.71.18"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "UsbCoreDxe: improper input validation may lead to arbitrary code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4276",
"datePublished": "2025-08-13T01:41:56.834Z",
"dateReserved": "2025-05-05T02:10:43.371Z",
"dateUpdated": "2025-08-14T05:54:07.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4275 (GCVE-0-2025-4275)
Vulnerability from cvelistv5
Published
2025-06-11 00:25
Modified
2025-08-14 05:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- cwe-284: Improper Access Control
Summary
A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Kernel 5.2 Version: Kernel 5.3 Version: Kernel 5.4 Version: Kernel 5.5 Version: Kernel 5.6 Version: Kernel 5.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-06-11T01:32:11.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/211341"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:38:13.231273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T13:30:23.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"kernel 5.2",
"kernel 5.3",
"kernel 5.4",
"kernel 5.5",
"kernel 5.6",
"kernel 5.7"
],
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "05.2A.16",
"status": "affected",
"version": "Kernel 5.2",
"versionType": "Tag"
},
{
"lessThan": "05.39.16",
"status": "affected",
"version": "Kernel 5.3",
"versionType": "Tag"
},
{
"lessThan": "05.47.16",
"status": "affected",
"version": "Kernel 5.4",
"versionType": "Tag"
},
{
"lessThan": "05.55.16",
"status": "affected",
"version": "Kernel 5.5",
"versionType": "Tag"
},
{
"lessThan": "05.62.16",
"status": "affected",
"version": "Kernel 5.6",
"versionType": "Tag"
},
{
"lessThan": "05.71.16",
"status": "affected",
"version": "Kernel 5.7",
"versionType": "Tag"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Thanks to Nikolaj Schlej, independent firmware security researcher, for reporting the vulnerability and engaging in this coordinated disclosure."
}
],
"datePublic": "2025-06-10T00:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(235, 235, 235);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "cwe-284: Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:58:07.245Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025002/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.2, Version 05.2A.16\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.3, Version 05.39.16\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.4, Version 05.47.16\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.5, Version 05.55.16\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.6, Version 05.62.16\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ekernel 5.7, Version 05.71.16\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "kernel 5.2, Version 05.2A.16\nkernel 5.3, Version 05.39.16\nkernel 5.4, Version 05.47.16\nkernel 5.5, Version 05.55.16\nkernel 5.6, Version 05.62.16\nkernel 5.7, Version 05.71.16"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SecureFlashDxe: Incorrect UEFI variable attributes check allows usage of invalid certificate",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4275",
"datePublished": "2025-06-11T00:25:17.737Z",
"dateReserved": "2025-05-05T01:59:27.834Z",
"dateUpdated": "2025-08-14T05:58:07.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4425 (GCVE-0-2025-4425)
Vulnerability from cvelistv5
Published
2025-07-30 00:45
Modified
2025-08-14 05:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:59:54.430045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:00:56.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:56:26.016Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SetupAutomationSmm: Stack overflow vulnerability in SMI handler",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4425",
"datePublished": "2025-07-30T00:45:32.592Z",
"dateReserved": "2025-05-08T03:45:00.211Z",
"dateUpdated": "2025-08-14T05:56:26.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4421 (GCVE-0-2025-4421)
Vulnerability from cvelistv5
Published
2025-07-30 00:39
Modified
2025-08-14 05:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Out-of-bounds Write
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insyde Software | InsydeH2O |
Version: Feature developed for Lenovo < L05.05.40.011803.172079 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T13:23:13.418617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T15:24:03.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InsydeH2O",
"vendor": "Insyde Software",
"versions": [
{
"lessThan": "L05.05.40.011803.172079",
"status": "affected",
"version": "Feature developed for Lenovo",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BINARLY REsearch team"
}
],
"datePublic": "2025-07-30T00:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
}
],
"value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T05:57:27.258Z",
"orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"shortName": "Insyde"
},
"references": [
{
"url": "https://www.insyde.com/security-pledge/sa-2025007/"
},
{
"url": "https://support.lenovo.com/us/en/product_security/home"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "EfiSmiServices: gEfiSmmCpuProtocol, SMM memory corruption vulnerabilities in SMM module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
"assignerShortName": "Insyde",
"cveId": "CVE-2025-4421",
"datePublished": "2025-07-30T00:39:28.366Z",
"dateReserved": "2025-05-08T03:44:51.949Z",
"dateUpdated": "2025-08-14T05:57:27.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}