A newly discovered flaw, tracked as CVE-2025-3052, allows attackers to bypass Secure Boot on most systems by exploiting a signed BIOS utility, potentially leading to bootkit malware infections.
The vulnerability exists in a legitimate BIOS flashing tool signed with Microsoft's "UEFI CA 2011" certificate—trusted on nearly all Secure Boot-enabled hardware.
Security firm Binarly found the tool in the wild, determining it was accessible since late 2022 and later uploaded to VirusTotal in 2024. The exploit works by modifying a user-writable NVRAM variable to manipulate memory during the boot process, enabling the disabling of Secure Boot before the OS even starts.
Microsoft addressed the issue in its June 2025 Patch Tuesday updates by adding 14 affected module hashes to the Secure Boot revocation list. Binarly urges immediate patching, as the exploit allows attackers with admin rights to run unsigned UEFI code, bypassing security entirely.
Separately, another Secure Boot vulnerability in Insyde H2O firmware, dubbed Hydroph0bia (CVE-2025-4275), was also disclosed and patched.
Read more...