- Binarly discovered a legitimate tool that is trusting most modern systems that use UEFI -Firmware, with an error
- The error enabled threat actors to implement bootkit malware
- Microsoft patched it in June 2025 -Patch Tuesday Cumulative Update
Microsoft has set a safe boot vulnerability that allowed threat actors to turn off security solutions and install bootkit malware on most PCs.
Security Researchers Binarly recently discovered a legitimate BIOS update tool, signed with Microsoft’s UEFI CA 2011 certificate. This root certificate used in the overall extensible firmware interface (UEFI) Secure Boot process plays a key role in the verification of the authenticity and integrity of bootloaders, operating systems and other low-level software before a system boot.
According to the researchers, the tool is confidence in most modern systems that use UEFI company -but the problem stems from the fact that it reads a user -writing NVRAM variable without proper validation, which means an attacker with administrator access to an operating system can change the variable and write anyone data to memory sites during the UEFI starting process.
Binarly managed to use this vulnerability to disable Secure Boot and give all unsigned UEFI modules the opportunity to run. In other words, they were able to disable security features and install bootkit malware that cannot be removed even if the hard drive is replaced.
The vulnerable module had been circulating in nature since 2022 and was uploaded to Virusotal in 2024 before being reported to Microsoft at the end of February 2025.
Microsoft recently released the June edition of Patch Tuesday, its cumulative update, which addresses various, recently discovered, vulnerabilities-among them was the arbitrary writing vowel in Microsoft signed UEFI company, now traced as CVE-2025-3052. It was awarded a severity of 8.2/10 (high).
The company also decided that the vulnerability affected 14 modules in total and now fixed them all.
“During the triage process, Microsoft decided that the problem not only affected a single module that originally believed, but actually 14 different modules,” Binarly said. “For this reason contains the updated DBX released under the patch on Tuesday, June 10, 2025, 14 new hash.”
Via Bleeping computer
