Press Center

Malware and antivirus software


ESET Research discovers vulnerabilities in Lenovo laptops exposing users to risk of UEFI malware installation

Created: 2022-04-19 08:55:19

  • Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware such as LoJax and ESPecter.
  • UEFI threats can be extremely stealthy and dangerous.
  • Discovered vulnerabilities are: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972.
  • ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware.

BRATISLAVA — April 19, 2022 — ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo laptop models. Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like our latest discovery ESPecter. ESET reported all discovered vulnerabilities to Lenovo in October 2021. Altogether, the list of affected devices contains more than one hundred different laptop models with millions of users worldwide.

“UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” says ESET researcher Martin Smolár, who discovered the vulnerabilities. “Our discovery of these UEFI so-called “secure” backdoors demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this,” he adds.

The first two of these vulnerabilities – CVE-2021-3970, CVE-2021-3971 – are perhaps more accurately called “secure” backdoors built into the UEFI firmware as that is literally the name given to the Lenovo UEFI drivers implementing one of them (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime.

In addition, while investigating the “secure” backdoors’ binaries, we discovered a third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3972). This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant.

The UEFI boot and runtime services provide the basic functions and data structures necessary for the drivers and applications to do their job, such as installing protocols, locating existing protocols, memory allocation, UEFI variable manipulation, etc. UEFI boot drivers and applications use protocols extensively.  UEFI variables are a special firmware storage mechanism used by UEFI modules to store various configuration data, including boot configuration.

SMM, on the other hand, is a highly privileged execution mode of x86 processors. Its code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates.

“All of the real-world UEFI threats discovered in the last years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” explains Smolár. ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware by following the manufacturer’s instruction.

For those using End Of Development Support devices affected by the UEFI SecureBootBackdoor (CVE-2021-3970), without any fixes available: one way to help you protect against unwanted modification of the UEFI Secure Boot state is to use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration change.

For more technical information, check out the blogpost When "secure" isn't secure at all: High-impact UEFI vulnerabilities discovered in Lenovo consumer laptops on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.



About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit or call (65) 6296-4268.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.