- Binarly spotted a legitimate utility, trusted on most modern systems utilizing UEFI firmware, carrying a flaw
- The flaw allowed threat actors to deploy bootkit malware
- Microsoft patched it the June 2025 Patch Tuesday cumulative update
Microsoft has fixed a Secure Boot vulnerability that allowed threat actors to turn off security solutions and install bootkit malware on most PCs.
Security researchers Binarly recently discovered a legitimate BIOS update utility, signed with Microsoft’s UEFI CA 2011 certificate. This root certificate, used in the Unified Extensible Firmware Interface (UEFI) Secure Boot process, plays a central role in verifying the authenticity and integrity of bootloaders, operating systems, and other low-level software before a system boots.
According to the researchers, the utility is trusted on most modern systems utilizing UEFI firmware – but the problem stems from the fact it reads a user-writable NVRAM variable without proper validation, meaning an attacker with admin access to an operating system can modify the variable and write arbitrary data to memory locations during the UEFI boot process.
Binarly managed to use this vulnerability to disable Secure Boot and allow any unsigned UEFI modules to run. In other words, they were able to disable security features and install bootkit malware that cannot be removed even if the hard drive is replaced.
The vulnerable module had been circulating in the wild since 2022, and was uploaded to VirusTotal in 2024 before being reported to Microsoft in late February 2025.
Microsoft recently released the June edition of Patch Tuesday, its cumulative update addressing different, recently-discovered, vulnerabilities – among which was the arbitrary write vulnerability in Microsoft signed UEFI firmware, which is now tracked as CVE-2025-3052. It was assigned a severity score of 8.2/10 (high).
The company also determined that the vulnerability affected 14 modules in total, now fixing all of them.
“During the triage process, Microsoft determined that the issue did not affect just a single module as initially believed, but actually 14 different modules,” Binarly said. “For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes.”
Via BleepingComputer
