Santa Monica, Calif. -- June 10, 2025 -- Binarly, a leading firmware and software supply chain security company, today announced the coordinated public disclosure of CVE-2025-3052, a security vulnerability that lets attackers silence the very security feature designed to stop them.
The security defect resides in a firmware component that carries Microsoft’s widely trusted “UEFI CA 2011” digital signature. By abusing a memory-corruption bug in that component, Binarly researchers proved that an intruder with administrative privileges inside the operating system can run their own code during the computer’s firmware boot sequence, well before Windows, Linux or any other operating system starts.
Because the exploit happens at this pre-boot stage, it bypasses Secure Boot, the cryptographic check meant to guarantee that only verified software launches. Once Secure Boot is out of the way, the attacker can plant a stealthy bootkit or other persistent malware that survives re-installation of the operating system and is invisible to normal endpoint protections.
Binarly researchers discovered that the vulnerable component began life as a BIOS-update utility for rugged tablets sold by DT Research, but the problem is not confined to that hardware. Any machine that trusts Microsoft’s third-party UEFI certificate will load the code, and that list effectively includes most modern laptops, servers and workstations because the same certificate also signs the Linux “shim” loader used by major distributions.
Binarly first noticed the module on the VirusTotal malware-scanning service in November 2024; embedded signature metadata shows it was compiled and signed in October 2022, so it has likely been circulating un-detected for years.
At a technical level, the flaw stems from unsafe handling of NVRAM variables. The researchers found that the affected code reads an NVRAM entry called IhisiParamBuffer and treats its contents as a memory pointer without checking whether the address is valid. An attacker can set that variable to any location in RAM and the module will dutifully write to it, handing the attacker an arbitrary write primitive inside firmware.
In proof-of-concept testing, Binarly used this to zero-out a pointer named gSecurity2, which the firmware relies on to enforce Secure Boot policies. With that single write, the firmware believes Secure Boot is active, but the enforcement routine is gone and unsigned code loads unhindered.
Binarly disclosed the issue to CERT/CC on 26 February 2025 and worked with Microsoft to confirm the scope. Further analysis identified fourteen separate firmware modules that contain the same vulnerable logic.
Microsoft responded by publishing new “dbx” revocation entries (a blacklist of disallowed boot components) in its June Patch Tuesday updated and instructed system manufacturers and administrators to apply the update as soon as possible. Until those revocations are in place, any affected device remains exposed because the firmware will continue to trust the maliciously signed code.
“Secure Boot plays a vital role in the UEFI trust chain to protect against bootkits that load before the operating system can defend itself. When that chain is broken, conventional antivirus, disk encryption and even virtual-machine isolation offer little protection,” said Alex Matrosov, CEO and Head of Research at Binarly.
Binarly’s discovery underscores a recurring theme: a single vendor’s mistake in complex UEFI firmware can ripple across the entire industry. Although this particular vulnerability does not affect Insyde-based devices whose NVRAM variables are locked, the vast majority of other platforms remain susceptible until the revocation is deployed.
About Binarly
Binarly is a U.S.-based firmware and software supply chain security company founded in 2021. The flagship Binarly Transparency Platform helps device manufacturers, OEMs and enterprise product security teams to detect vulnerabilities, misconfigurations, secrets, and malicious code in devices and software supply chains. Leveraging decades of research and program analysis expertise, we secure businesses, critical infrastructure, and consumers, while also assisting organizations in transitioning to a post-quantum cryptography (PQC) environment. For more information, visit https://www.binarly.io/
