DIGITAL LIFE

Critical Secure Boot Flaw Exposes PCs To Bootkit Malware Attacks, Patch ASAP

A newly disclosed Secure Boot vulnerability is putting a large number of PCs at risk of bootkit attacks, with security researchers urging immediate patching. The flaw, tracked as CVE-2025-3052, was uncovered by Binarly Research and involves a signed UEFI module that allows attackers to bypass or disable Secure Boot and execute unsigned code during system startup, before the OS even loads. This, in turn, could allow them to install  'bootkit' exploits that load from the EFI partition and are undetectable using tools running inside the operating system.

At the center of the problem is a UEFI module for BIOS flashing that was apparently first intended for rugged devices from DT Research. That module is signed with Microsoft’s widely trusted third-party UEFI CA 2011 certificate. Because that certificate is broadly accepted across most modern systems—it’s the same one used to sign Linux’s shim bootloader—any vulnerable module signed under it could run on countless machines.

The specific vulnerability stems from sloppy handling of UEFI NVRAM variables. Specifically, the module reads a variable called "IhisiParamBuffer" and uses its contents directly as a memory pointer without any checking or validation. That gives attackers a powerful memory write primitive they can exploit to disable Secure Boot protections entirely, opening the door for stealthy bootkits that operate below the OS, potentially invisible to antivirus or EDR tools.

Even worse, Binarly's(https://www.binarly.io/blog/another-crack-in-the-chain-of-trust) analysis found that the issue wasn’t isolated to just this one module; Microsoft identified at least 14 affected binaries during coordinated disclosure. The mitigation landed as part of Microsoft’s June 2025 Patch Tuesday, which updated the Secure Boot revocation list (dbx) with new hashes to block these vulnerable modules.

mundophone