Dozens of Gigabyte motherboard fashions run on UEFI firmware weak to security points that enable planting bootkit malware that’s invisible to the working system and may survive reinstalls.
The vulnerabilities may enable attackers with native or distant admin permissions to execute arbitrary code in System Administration Mode (SMM), an setting remoted from the working system (OS) and with extra privileges on the machine.
Mechanisms working code beneath the OS have low-level {hardware} entry and provoke at boot time. Due to this, malware in these environments can bypass conventional security defenses on the system.
UEFI, or Unified Extensible Firmware Interface, firmware is safer because of the Safe Boot function that ensures by cryptographic verifications {that a} gadget makes use of at boot time code that’s protected and trusted.
Because of this, UEFI-level malware like bootkits (BlackLotus, CosmicStrand, MosaicAggressor, MoonBounce, LoJax) can deploy malicious code at each boot.
Loads of motherboards impacted
The 4 vulnerabilities are in Gigabyte firmware implementations and have been found by researchers at firmware security firm Binarly, who shared their findings with Carnegie Mellon College’s CERT Coordination Middle (CERT/CC).
The unique firmware provider is American Megatrends Inc. (AMI), which addressed the problems after a personal disclosure however some OEM firmware builds (e.g. Gigabyte’s) didn’t implement the fixes on the time.
In Gigabyte firmware implementations, Binarly discovered the next vulnerabilities, all with a high-severity rating of 8.2:
- CVE-2025-7029: bug in an SMI handler (OverClockSmiHandler) that may result in SMM privilege escalation
- CVE-2025-7028: bug in an SMI handler (SmiFlash) offers learn/write entry to the System Administration RAM (SMRAM), which might result in malware set up
- CVE-2025-7027: can result in SMM privilege escalation and modifying the firmware by writing arbitrary content material to SMRAM
- CVE-2025-7026: permits arbitrary writes to SMRAM and may result in privilege escalation to SMM and chronic firmware compromise
By our rely, there are a bit of greater than 240 motherboard fashions impacted – together with revisions, variants, and region-specific editions, with firmware up to date between late 2023 and mid-August 2024.
BleepingComputer reached out to Binarly for an official rely and an organization consultant informed us that “over 100 product strains are affected.”
Merchandise from different enterprise gadget distributors are additionally impacted by the 4 vulnerabilities however their names stay undisclosed till fixes develop into out there.
Binarly researchers notified Carnegie Mellon CERT/CC in regards to the points on April 15 and Gigabyte confirmed the vulnerabilities on June 12, adopted by the discharge of firmware updates, in accordance with CERT/CC.
Nevertheless, the OEM has not revealed a security bulletin in regards to the security issues that Binarly reported. BleepingComputer has emailed the {hardware} vendor a request for remark however we’re nonetheless ready for his or her response.
In the meantime, Binarly founder and CEO Alex Matrosov informed BleepingComputer that Gigabyte probably hasn’t launched fixes. With most of the merchandise already having reached end-of-life, customers shouldn’t anticipate to obtain any security updates.
“As a result of all these 4 vulnerabilities originated from AMI reference code, AMI disclosed these vulnerabilities some time in the past with their silent disclosure to paid prospects solely underneath NDA, and it prompted important results for years on the downstream distributors once they stayed weak and unpatched” – Alex Matrosov
“It appears that evidently Gigabyte has not launched any fixes but, and most of the affected units have reached end-of-life standing, which means they’ll doubtless stay weak indefinitely.”
Whereas the danger for normal customers is admittedly low, these in vital environments can assess the precise threat with Binarly’s Danger Hunt scanner device, which incorporates free detection for the 4 vulnerabilities.
Computer systems from varied OEMs utilizing Gigabyte motherboards could also be weak, so customers are suggested to observe for firmware updates and apply them promptly.
UPDATE [July 14th, 13:23 EST]: Article up to date with remark from Binarly saying that the 4 vulnerabilities have an effect on greater than 100 motherboards, and that merchandise from different distributors are impacted.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
