A new Secure Boot flaw, tracked as CVE-2025-3052, has been discovered that can be used to disable security on PCs and servers, allowing attackers to install bootkit malware. The flaw affects nearly every system that trusts Microsoft’s “UEFI CA 2011” certificate, which is widely supported by hardware that supports Secure Boot.
Researchers from Binarly found the vulnerability after discovering a BIOS-flashing utility signed with Microsoft’s UEFI signing certificate. The utility was originally designed for rugged tablets but can run on any Secure Boot-enabled system. The vulnerable module has been circulating in the wild since at least late 2022 and was uploaded to VirusTotal in 2024.
Microsoft has patched the flaw as part of its June 2025 Patch Tuesday, adding affected module hashes to the Secure Boot dbx revocation list. However, another Secure Boot bypass affecting UEFI-compatible firmware based on Insyde H2O was disclosed by Nikolaj Schlej, tracked as CVE-2025-4275.
The new Secure Boot flaw works by exploiting a legitimate BIOS update utility signed with Microsoft’s UEFI CA 2011 certificate, which reads a user-writable NVRAM variable without validating it. An attacker can modify this variable to write arbitrary data to memory locations during the UEFI boot process, allowing them to disable Secure Boot and install bootkit malware.
To fix the flaw, users are urged to install the updated dbx file immediately through today’s security updates. Binarly has shared a video demonstrating how their proof-of-concept exploit can disable Secure Boot and cause a message to display before the operating system boots.
Source: https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-attackers-install-bootkit-malware-patch-now