{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/457458#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a \"Bring Your Own Vulnerable Driver\" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process.\r\n\r\n\r\n### Description\r\nThe Unified Extensible Firmware Interface ([UEFI](https://uefi.org)) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains certificates from original equipment manufacturer (OEM) vendors, operating system authorities, and other supply-chain partners in the UEFI ecosystem. \r\n\r\nThe `UEFI shell` is a command-line application that allows advanced users to interact directly with the UEFI environment to run diagnostics or special tasks prior to the operating system boot. Other UEFI applications, such as bootloaders, manage the operating system startup sequence or load specific drivers before the main OS initializes. Some of these applications possess functionalities that can manipulate system memory, modify sensitive NVRAM variables, or load raw drivers. \r\n\r\nIf a vendor-signed application inadvertently exposes these capabilities without strict access controls, attackers can abuse them to circumvent Secure Boot policies and execute unverified code. This exposure effectively results in an early compromise of the pre-boot environment, bypassing the Secure Boot policy.\r\n\r\nResearchers from ESET identified multiple UEFI applications vulnerable to this type of abuse. To neutralize the risk, the affected binaries will be added to vendor-specific DBX revocation lists to prevent them from executing on the target systems.\r\n<table>\r\n\t<thead><tr> <th>Impacted UEFI Applications<br>\r\n\t\t[Vendor, Application and vulnerable function<br>\r\n\t\tAuthenticode SHA hash<br>\r\n\t\tSHA256 file hash]<br>\r\n\t\t</th></tr>\r\n  </thead>\r\n  <tbody>\r\n \r\n<tr><td><pre>Acer `GRUB2` insmod\r\n71DCE405964C67779DB92DBC01F683D6E29075AB\r\n6cc0e9501420ec036f0ad74df2d17f4d6360f26585f265042537b9f8c2780c30</pre></td></tr>\r\n<tr><td><pre>Acer `UEFI shell` mm,dmpstore\r\nD275C2DFD884D2B7842C7F861C527A9FFC6E59DD\r\nb0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883</pre></td></tr>\r\n<tr><td><pre>Acer `UEFI shell` mm,dmpstore\r\n42C4923E676A9FD0A93C08631AD7A8244A8F2174\r\n0784c30a83bfcc45bf42804e5729323987957f0a104fcb693d0ff10d76d5b42c</pre></td></tr>\r\n<tr><td><pre>Acer `UEFI shell` mm,dmpstore\r\n04BE47C873F116B85111FBF8EE9191C87CEE2619\r\nb0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883</pre></td></tr>\r\n<tr><td><pre>Acer Emdoor `UEFI shell` mm,setvar\r\nCD5E3EAD6F78526BF9301DEEF66906618654F604\r\n14a493007443c72050ce644562db1470e36bf9d04baf5dec6b046e32cbdbb61b</pre></td></tr>\r\n<tr><td><pre>AMD `UEFI shell` mm,dmpstore\r\n744565FBB35DB710BCC1547292204763C731DC55\r\n58bc1e460a1b7e18e6ad12dae8020c38bd7b3d6217130dd127ae232e4b248406</pre></td></tr>\r\n<tr><td><pre>ASUS schenker-tech.de(XMG) `UEFI shell` mm,dmpstore\r\nDC18D31E46A541C9E42F9588554ADDC7DECE124B\r\n61ee9a23c366a102ceb34c78af7816413769791658cdb668b02cb81ec94f7c70</pre></td></tr>\r\n<tr><td><pre>ECS `UEFI Shell` mm,dmpstore\r\n59BA2B5C239AF3CC7FCE74AA5E65AAA8CE3C454F\r\n81da15d6acdfb7868ecea44d41c869c2295603af9a44a2d106d4c0e57d66908</pre></td></tr>\r\n<tr><td><pre>Getac `UEFI Shell` mm,dmpstore\r\n35FBD8ED5ED31D281A6146360CDEFE7E8CEC31DA\r\n09d895bb03bdac3188ef61b09ab72b99492cfd0b785cbc3eb2eb75657a2f9fa0</pre></td></tr>\r\n<tr><td><pre>GIGABYTE Maibenben `UEFI Shell` mm,setvar,dmpstore\r\n6CC172CBFEEA24B2806B477F8EDF897334ECC486\r\n2944da098861619e21b522a642235bb2ec189ff20ef96e100b2ffdd9a39c3416</pre></td></tr>\r\n<tr><td><pre>Toshiba `UEFI Shell` mm,dmpstore\r\n2EAE2807A4265D9C30EECA68A8C59C7A6D1ACFE7\r\ncad246ae8a5db51f32f128896ccef5efc30e5d65c9d9722b449988d43da53d51</pre></td></tr>\r\n<tr><td><pre>Uniwill Maingear schenker-tech.de(XMG) `UEFI Shell` mm,dmpstore\r\n8CED62F9BD5C987A80598DA1E13414391BBB1ADE\r\n55682bec887134a2ccaa2cd5458cd3fe6395ea93bb88c9dc541806428b14fc66</pre></td></tr>\r\n\t</tbody></table>\r\n\r\n### Impact\r\nThis vulnerability only impacts systems where the specific affected vendor's certificate is trusted within the UEFI Authorized Signature Database (DB). On such systems, an attacker with administrative privileges or physical access could leverage the vulnerable application to bypass Secure Boot protections and execute arbitrary code before the operating system loads. \r\n\r\nCode executed during this early boot phase can achieve persistent platform compromise, including the ability to load unsigned or malicious kernel components that survive system reboots and operating system reinstallations. Because this activity occurs before the operating system and endpoint security products initialize, malicious code executed through this technique may completely evade detection by standard security controls and endpoint detection and response (EDR) solutions.\r\n\r\n### Solution\r\nApply the latest firmware and software updates provided by your hardware or software vendor. Please refer to the Vendor Information section for details. Updated software packages will replace vulnerable UEFI applications with corrected versions that incorporate the latest upstream security fixes.Additionally, administrators should update and verify the [UEFI DBX](https://media.defense.gov/2025/Dec/11/2003841096/-1/-1/0/CSI_UEFI_SECURE_BOOT.PDF) on affected systems to ensure the vulnerable binaries are revoked and can no longer execute during the boot process.\r\n\r\n### Acknowledgements\r\nThanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"This zip includes efi executables signed with the vendor specific keys.\r\nAptio  does not include any of these certificates in the released source.","title":"Vendor statment from American Megatrends Incorporated (AMI)"},{"category":"other","text":"This issue does not impact Intel's UEFI Reference Code.","title":"Vendor statment from Intel"},{"category":"other","text":"does not apply to Supermicro","title":"Vendor statment from Supermicro"},{"category":"other","text":"We will remove the efiflash.efi signed by us from our BIOS update package.\r\nUse will no longer able to use -setvar , -env , these kind of parameters in EFI shell to bypass secure boot.","title":"Vendor statment from GIGABYTE"},{"category":"other","text":"AMD has reviewed this report and determined that the impacted product(s) have reached end of security support (EOSS). As permitted under the CVE Numbering Authority (CNA) Rules AMD is declining to issue a CVE ID for this report, consistent with AMD's end-of-support policies.","title":"Vendor statment from AMD"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/457458"},{"url":"https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html","summary":"https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html"},{"url":"https://uefi.org/specs/UEFI/2.11/03_Boot_Manager.html","summary":"https://uefi.org/specs/UEFI/2.11/03_Boot_Manager.html"},{"url":"https://uefi.org/specs/UEFI/2.11/07_Services_Boot_Services.html","summary":"https://uefi.org/specs/UEFI/2.11/07_Services_Boot_Services.html"},{"url":"https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot","summary":"https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot"},{"url":"https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/","summary":"https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/"},{"url":"https://www.eset.com/us/about/newsroom/press-releases/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/","summary":"https://www.eset.com/us/about/newsroom/press-releases/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/"},{"url":"https://github.com/sei-vsarvepalli/uefi-dbx-audit/","summary":"https://github.com/sei-vsarvepalli/uefi-dbx-audit/"}],"title":"Vendor-signed UEFI applications found vulnerable to Secure Boot bypass","tracking":{"current_release_date":"2026-06-18T19:41:08+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.42"}},"id":"VU#457458","initial_release_date":"2026-06-18 19:41:08.033874+00:00","revision_history":[{"date":"2026-06-18T19:41:08+00:00","number":"1.20260618194108.1","summary":"Released on 2026-06-18T19:41:08+00:00"}],"status":"final","version":"1.20260618194108.1"}},"vulnerabilities":[{"title":"Multiple UEFI applications that were digitally signed by various UEFI supply-chain stakeholders were found to be vulnerable to SecureBoot bypass, allowing either UEFI Shell, grub boot loader.","notes":[{"category":"summary","text":"Multiple UEFI applications that were digitally signed by various UEFI supply-chain stakeholders were found to be vulnerable to SecureBoot bypass, allowing either UEFI Shell, grub boot loader. The UEFI shell or third-party applications allows for loading of arbitrary commands or code to be run, irrespective of SecureBoot settings."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#457458"}],"product_status":{"known_affected":["CSAFPID-3fba9c7a-6b63-11f1-8284-1253c57fa98d"],"known_not_affected":["CSAFPID-3fb9c048-6b63-11f1-8284-1253c57fa98d","CSAFPID-3fb9fbc6-6b63-11f1-8284-1253c57fa98d","CSAFPID-3fba31e0-6b63-11f1-8284-1253c57fa98d","CSAFPID-3fba6728-6b63-11f1-8284-1253c57fa98d","CSAFPID-3fbad64a-6b63-11f1-8284-1253c57fa98d","CSAFPID-3fbb0e94-6b63-11f1-8284-1253c57fa98d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-3fb9c048-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-3fb9fbc6-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-3fba31e0-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"Supermicro","product":{"name":"Supermicro Products","product_id":"CSAFPID-3fba6728-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"GIGABYTE","product":{"name":"GIGABYTE Products","product_id":"CSAFPID-3fba9c7a-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-3fbad64a-6b63-11f1-8284-1253c57fa98d"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-3fbb0e94-6b63-11f1-8284-1253c57fa98d"}}]}}