Recommended reading

A worrying Windows SecureBoot issue could let hackers install malware - here's what we know, and whether you need to update

News
By published

A legitimate module could have been abused to deploy bootkit malware

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Binarly spotted a legitimate utility, trusted on most modern systems utilizing UEFI firmware, carrying a flaw
  • The flaw allowed threat actors to deploy bootkit malware
  • Microsoft patched it the June 2025 Patch Tuesday cumulative update

Microsoft has fixed a Secure Boot vulnerability that allowed threat actors to turn off security solutions and install bootkit malware on most PCs.

Security researchers Binarly recently discovered a legitimate BIOS update utility, signed with Microsoft’s UEFI CA 2011 certificate. This root certificate, used in the Unified Extensible Firmware Interface (UEFI) Secure Boot process, plays a central role in verifying the authenticity and integrity of bootloaders, operating systems, and other low-level software before a system boots.

According to the researchers, the utility is trusted on most modern systems utilizing UEFI firmware - but the problem stems from the fact it reads a user-writable NVRAM variable without proper validation, meaning an attacker with admin access to an operating system can modify the variable and write arbitrary data to memory locations during the UEFI boot process.

Microsoft finds 13 extra modules

Binarly managed to use this vulnerability to disable Secure Boot and allow any unsigned UEFI modules to run. In other words, they were able to disable security features and install bootkit malware that cannot be removed even if the hard drive is replaced.

The vulnerable module had been circulating in the wild since 2022, and was uploaded to VirusTotal in 2024 before being reported to Microsoft in late February 2025.

Microsoft recently released the June edition of Patch Tuesday, its cumulative update addressing different, recently-discovered, vulnerabilities - among which was the arbitrary write vulnerability in Microsoft signed UEFI firmware, which is now tracked as CVE-2025-3052. It was assigned a severity score of 8.2/10 (high).

The company also determined that the vulnerability affected 14 modules in total, now fixing all of them.

"During the triage process, Microsoft determined that the issue did not affect just a single module as initially believed, but actually 14 different modules," Binarly said. "For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes."

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.