Microsoft’s Risk Intelligence group has leveraged its AI-driven Safety Copilot software to establish 20 crucial vulnerabilities in broadly used open-source bootloaders — GRUB2, U-Boot, and Barebox.
These bootloaders are essential for initializing working methods, significantly in Linux-based environments and embedded methods. The newly found flaws have an effect on methods using Unified Extensible Firmware Interface (UEFI) Safe Boot, together with IoT units, cloud infrastructure, and enterprise IT environments.
The vulnerabilities, together with an exploitable integer overflow problem, might allow attackers to execute arbitrary code. In GRUB2’s case, attackers might probably bypass Safe Boot, set up stealthy bootkits, and evade enterprise security mechanisms like BitLocker encryption, Microsoft’s Risk Intelligence group mentioned in a weblog publish.
“The implications of putting in such bootkits are vital, as this may grant menace actors full management over the machine, permitting them to regulate the boot course of and working system, compromise further units on the community, and pursue different malicious actions,” Microsoft mentioned.
This improvement raises considerations for organizations counting on Safe Boot for machine integrity and system safety. In accordance with Microsoft, the vulnerabilities are significantly regarding as a result of profitable exploitation might result in persistent threats which can be troublesome to take away.
Considerations over persistent malware
Whereas exploiting vulnerabilities in U-boot or Barebox would doubtless require bodily machine entry, the GRUB2 flaws current extra vital threats to enterprise environments. Essentially the most regarding side, in keeping with Microsoft is the potential of making a persistent malware that may stay intact even after an working system reinstallation or a tough drive alternative.
“These bootloader vulnerabilities — particularly in GRUB2 — are vital as a result of they allow attackers to implant malware that persists even after OS reinstallation or storage drive alternative,” mentioned Prabhjyot Kaur, senior analyst at Everest Group. “Excessive-security sectors like authorities, finance, healthcare, and significant infrastructure ought to prioritize patching instantly.”
This stage of persistence makes these vulnerabilities significantly harmful, as conventional remediation steps can be ineffective towards such deeply embedded threats. Organizations with massive Linux deployments or IoT machine fleets ought to be particularly involved.
Microsoft disclosed the vulnerabilities to all affected bootloader maintainers and collaborated on growing fixes. Safety updates have been launched in mid-February 2025, with GRUB2 patches out there as of February 18 and each U-boot and Barebox patches launched on February 19, the weblog added.
AI-powered discovery adjustments the cybersecurity panorama
Microsoft’s Safety Copilot software considerably accelerated the vulnerability identification course of, with a specific give attention to filesystem implementations attributable to their excessive vulnerability potential.
“Utilizing Safety Copilot, we have been in a position to establish potential security points in bootloader functionalities, specializing in filesystems attributable to their excessive vulnerability potential,” the weblog acknowledged. “This method saved our group roughly every week’s price of time that may have in any other case been spent manually reviewing the content material.”
By rigorously crafted prompts, Safety Copilot helped uncover an exploitable integer overflow vulnerability and assisted to find related vulnerability patterns throughout a number of recordsdata.
“We’re sharing this analysis for example of the elevated effectivity, streamlined workflows, and improved capabilities that AI options like Safety Copilot can ship for defenders, security researchers, and SOC analysts,” the weblog famous.
“The most important shift we’re seeing is from a standard accountable disclosure method to one thing fairly completely different,” mentioned Sunil Varkey, advisor at Beagle Safety. “When AI begins discovering vulnerabilities at this accelerated tempo, we’ll doubtless see many extra zero-days within the wild.”
Varkey pointed to an rising situation he calls “a bizarre state the place all events — each defenders and attackers — find out about vulnerabilities concurrently. It’s just like the Wild West ready to see who shoots first, whereas many defenders haven’t ready for this velocity of discovery.”
“AI can analyze massive codebases, detect reminiscence dealing with patterns, and counsel fixes at speeds that far outstrip handbook evaluation,” Kaur added. “Whereas defenders profit from improved response instances, attackers are additionally leveraging AI—making a steady arms race the place either side use these applied sciences to tip the stability.”
As AI instruments turn out to be more and more important for each attackers and defenders, Microsoft emphasised that info sharing amongst security distributors and researchers stays essential to sustaining security benefits.
“For many years, the cybersecurity battlefield has been asymmetrical,” Gogia identified. “Attackers had time, creativity, and 0 pink tape. Defenders? Overworked, reactive, and drowning in alerts. However AI is altering that calculus.”
Implications for enterprise security
For enterprise security groups, these discoveries spotlight the significance of sustaining up-to-date firmware and bootloaders — areas typically neglected in common patch administration processes. Organizations ought to evaluate their vulnerability administration packages to make sure they adequately handle these elements.
The vulnerabilities additionally underscore the continuing dangers related to provide chain security, as many organizations could also be utilizing these bootloaders with out being straight conscious of the underlying elements.
Safety consultants suggest organizations stock affected methods, prioritize making use of the February 2025 security updates, implement monitoring for exploitation makes an attempt, and evaluate firmware replace processes to make sure bootloaders are included in common security upkeep.
“Organizations ought to develop insurance policies that explicitly handle firmware and bootloader updates, preserve {hardware} inventories noting which methods use affected bootloaders, and incorporate these lower-level elements into present patch administration cycles,” Kaur recommended.
In accordance with Varkey, addressing bootloader vulnerabilities presents distinctive challenges. “Whereas it’s crucial to mitigate such vulnerabilities on the firmware stage, it’s all the time a severe problem. Mitigation patches might not be out there generally, and their launch extremely relies on OEM distributors prioritizing them — just like challenges with OT units and different firmware.” “Many publicly recognized vulnerabilities are by no means acknowledged or patched by distributors,” Varkey famous. “The one choice in such situations is to guard on the perimeter or the entry management stage.”
