CVE-2025-4422 (GCVE-0-2025-4422)

Vulnerability from cvelistv5 – Published: 2025-07-30 00:40 – Updated: 2025-08-14 05:57
VLAI?
Title
EfiSmiServices : EfiPcdProtocol, SMM memory corruption vulnerabilities in SMM module
Summary
The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability.  https://support.lenovo.com/us/en/product_security/home
Severity ?
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Insyde Software InsydeH2O Affected: Feature developed for Lenovo , < L05.05.40.011803.172079 (custom)
Create a notification for this product.
Credits
BINARLY REsearch team
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T13:23:08.065387Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T14:50:12.457Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "InsydeH2O",
          "vendor": "Insyde Software",
          "versions": [
            {
              "lessThan": "L05.05.40.011803.172079",
              "status": "affected",
              "version": "Feature developed for Lenovo",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "BINARLY REsearch team"
        }
      ],
      "datePublic": "2025-07-30T00:25:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/home\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e"
            }
          ],
          "value": "The vulnerability was identified in the code developed specifically for Lenovo. Please visit \"Lenovo Product Security Advisories and Announcements\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T05:57:12.813Z",
        "orgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
        "shortName": "Insyde"
      },
      "references": [
        {
          "url": "https://www.insyde.com/security-pledge/sa-2025007/"
        },
        {
          "url": "https://support.lenovo.com/us/en/product_security/home"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "EfiSmiServices : EfiPcdProtocol, SMM memory corruption vulnerabilities in SMM module",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8338d8cb-57f7-4252-abc0-96fd13e98d21",
    "assignerShortName": "Insyde",
    "cveId": "CVE-2025-4422",
    "datePublished": "2025-07-30T00:40:47.816Z",
    "dateReserved": "2025-05-08T03:44:55.188Z",
    "dateUpdated": "2025-08-14T05:57:12.813Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-4422\",\"sourceIdentifier\":\"8338d8cb-57f7-4252-abc0-96fd13e98d21\",\"published\":\"2025-07-30T01:15:25.030\",\"lastModified\":\"2025-07-31T18:42:37.870\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The vulnerability was identified in the code developed specifically for Lenovo. Please visit \\\"Lenovo Product Security Advisories and Announcements\\\" webpage for more information about the vulnerability.\u00a0 https://support.lenovo.com/us/en/product_security/home\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad se identific\u00f3 en el c\u00f3digo desarrollado espec\u00edficamente para Lenovo. Para obtener m\u00e1s informaci\u00f3n sobre la vulnerabilidad, visite la p\u00e1gina web \\\"Avisos y anuncios de seguridad de productos Lenovo\\\": https://support.lenovo.com/us/en/product_security/home\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"8338d8cb-57f7-4252-abc0-96fd13e98d21\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"8338d8cb-57f7-4252-abc0-96fd13e98d21\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"references\":[{\"url\":\"https://support.lenovo.com/us/en/product_security/home\",\"source\":\"8338d8cb-57f7-4252-abc0-96fd13e98d21\"},{\"url\":\"https://www.insyde.com/security-pledge/sa-2025007/\",\"source\":\"8338d8cb-57f7-4252-abc0-96fd13e98d21\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4422\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-30T13:23:08.065387Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-30T13:23:09.270Z\"}}], \"cna\": {\"title\": \"EfiSmiServices : EfiPcdProtocol, SMM memory corruption vulnerabilities in SMM module\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"BINARLY REsearch team\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Insyde Software\", \"product\": \"InsydeH2O\", \"versions\": [{\"status\": \"affected\", \"version\": \"Feature developed for Lenovo\", \"lessThan\": \"L05.05.40.011803.172079\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-07-30T00:25:00.000Z\", \"references\": [{\"url\": \"https://www.insyde.com/security-pledge/sa-2025007/\"}, {\"url\": \"https://support.lenovo.com/us/en/product_security/home\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The vulnerability was identified in the code developed specifically for Lenovo. Please visit \\\"Lenovo Product Security Advisories and Announcements\\\" webpage for more information about the vulnerability.\\u00a0 https://support.lenovo.com/us/en/product_security/home\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vulnerability was identified in the code developed specifically for Lenovo. Please visit \\\"Lenovo Product Security Advisories and Announcements\\\" webpage for more information about the vulnerability.\u0026nbsp;\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://support.lenovo.com/us/en/product_security/home\\\"\u003ehttps://support.lenovo.com/us/en/product_security/home\u003c/a\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"8338d8cb-57f7-4252-abc0-96fd13e98d21\", \"shortName\": \"Insyde\", \"dateUpdated\": \"2025-08-14T05:57:12.813Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-4422\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-14T05:57:12.813Z\", \"dateReserved\": \"2025-05-08T03:44:55.188Z\", \"assignerOrgId\": \"8338d8cb-57f7-4252-abc0-96fd13e98d21\", \"datePublished\": \"2025-07-30T00:40:47.816Z\", \"assignerShortName\": \"Insyde\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.