Security researchers have uncovered two significant vulnerabilities that can completely bypass Secure Boot protections on UEFI-compatible systems, potentially affecting millions of devices worldwide. These discoveries highlight persistent weaknesses in the fundamental security mechanisms designed to protect computers during the boot process.
The first vulnerability, designated CVE-2025-3052 and discovered by Binarly Research, affects systems that trust Microsoft's widely-used third-party UEFI certificate.
The flaw exists in a BIOS flashing tool originally developed for DT Research devices but signed with Microsoft's "Microsoft Corporation UEFI CA 2011" certificate. This same certificate is used to sign critical components like the Linux bootloader shim, dramatically expanding the vulnerability's potential impact across diverse computing environments.
 |
| PoC exploiting CVE-2025-3052 |
The vulnerability stems from unsafe handling of NVRAM variables, a persistent problem in the UEFI ecosystem.
According to Binarly's analysis, "the signed application reads the content of the IhisiParamBuffer variable and directly uses it as a pointer for multiple memory write operations, without performing any validation or sanity checks on its value." This allows attackers to achieve arbitrary memory writes, effectively disabling Secure Boot by overwriting critical system variables.
The second vulnerability, CVE-2025-4275 dubbed "Hydroph0bia," specifically targets Insyde H2O-based firmware implementations. Discovered by an independent researcher, this flaw exploits the firmware's update mechanism through NVRAM variable manipulation.
The vulnerability allows attackers to inject their own certificates into the system's trust chain, convincing the firmware to accept malicious code as legitimate.
Both vulnerabilities share a common attack vector: they require attackers to have local administrator privileges to modify NVRAM variables. However, once exploited, they provide powerful capabilities that execute before the operating system loads, enabling the installation of bootkits and other persistent threats that can survive system reinstalls.
The impact extends beyond individual systems, creating complex supply chain security challenges. The Binarly researchers noted an ironic situation where "a mistake by one vendor can affect the entire ecosystem, except for the vendor itself."
This occurs because while the vulnerable DT Research module was originally designed for specific devices, it can execute on any system that trusts Microsoft's widely-used UEFI certificate.
Paradoxically, Insyde-based systems—where the vulnerable NVRAM variable is typically locked—remain protected, while other manufacturers' devices become vulnerable due to their reliance on the same trusted certificate infrastructure.
Microsoft has responded to CVE-2025-3052 by adding 14 new hashes to the Secure Boot revocation database (dbx) as part of their June 10, 2025 Patch Tuesday update. Meanwhile, Insyde has addressed CVE-2025-4275 through their own security advisory process.
System administrators are strongly advised to update their systems' dbx databases and apply all available firmware updates to protect against these and similar vulnerabilities.