200,000 Framework laptops vulnerable to Secure Boot bypass

Approximately 200,000 Linux systems from the American manufacturer Framework were shipped with signed UEFI Shell components that can be used to bypass Secure Boot. Attackers can exploit the issue to load bootkits that circumvent OS-level protections and persist even after the OS is reinstalled.

According to experts at Eclypsium, the vulnerability is tied to the presence of the memory modify (mm) command in officially signed UEFI shells that Framework ships with its devices.

The command provides direct read and write access to system memory and is intended for low-level firmware diagnostics and debugging. However, it can be used to break the Secure Boot chain of trust by attacking the gSecurity2 variable — a critical component of the UEFI module signature verification process.

The mm command can be used to overwrite gSecurity2 with a NULL value, effectively disabling signature verification. In addition, the researchers note that the attack can be automated via autorun scripts, allowing the threat to persist even after a reboot.

The presence of the mm command is not the result of a compromise but a simple mistake. After being informed of the issue, Framework specialists began working to address the vulnerability.

Eclypsium researchers believe that the bug has affected approximately 200,000 Framework devices:

Framework 13 (11th Gen Intel) — patch planned in version 3.24;
Framework 13 (12th Gen Intel) — fixed in version 3.18, DBX update planned in version 3.19;
Framework 13 (13th Gen Intel) — fixed in version 3.08, DBX update released in version 3.09;
Framework 13 (Intel Core Ultra) — fixed in version 3.06;
Framework 13 (AMD Ryzen 7040) — fixed in version 3.16;
Framework 13 (AMD Ryzen AI 300) — fixed in version 3.04, DBX update planned in version 3.05;
Framework 16 (AMD Ryzen 7040) — fixed in version 3.06 (Beta), DBX update released in version 3.07;
Framework Desktop (AMD Ryzen AI 300 MAX) — fixed in version 3.01, DBX update planned in version 3.03.

Users of affected devices are advised to install the available updates. If a patch is not yet available, it’s critical to use additional protective measures, such as restricting physical access to the device. Another temporary mitigation is to delete the Framework DB key via the BIOS.

14.02.2025 — 12,000 Kerio Control firewalls remain vulnerable to RCE

17.02.2025 — Dutch police seize 127 servers belonging to Zservers hosting provider

04.04.2025 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

10.04.2025 — April updates released by Microsoft cause issues with Windows Hello

07.04.2025 — Critical RCE vulnerability discovered in Apache Parquet

16.04.2025 — Android devices will restart every three days to protect user data

22.04.2025 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

21.02.2025 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

12.03.2025 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

05.02.2025 — Google patches Android zero-day vulnerability exploited by hackers

07.07.2023 — Evil Ethernet. BadUSB-ETH attack in detail

12.01.2022 — Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

11.01.2022 — Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system

15.12.2022 — What Challenges To Overcome with the Help of Automated e2e Testing?

19.04.2023 — Kung fu enumeration. Data collection in attacked systems

08.06.2023 — Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

04.04.2022 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL

03.06.2022 — Playful Xamarin. Researching and hacking a C# mobile app

21.02.2023 — Pivoting District: GRE Pivoting over network equipment

29.07.2023 — Invisible device. Penetrating into a local network with an 'undetectable' hacker gadget

14.02.2025 —
12,000 Kerio Control firewalls remain vulnerable to RCE

17.02.2025 —
Dutch police seize 127 servers belonging to Zservers hosting provider

04.04.2025 —
Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

10.04.2025 —
April updates released by Microsoft cause issues with Windows Hello

07.04.2025 —
Critical RCE vulnerability discovered in Apache Parquet

16.04.2025 —
Android devices will restart every three days to protect user data

22.04.2025 —
Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

21.02.2025 —
Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

12.03.2025 —
Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

05.02.2025 —
Google patches Android zero-day vulnerability exploited by hackers

07.07.2023 —
Evil Ethernet. BadUSB-ETH attack in detail

12.01.2022 —
Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

11.01.2022 —
Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system

15.12.2022 —
What Challenges To Overcome with the Help of Automated e2e Testing?

19.04.2023 —
Kung fu enumeration. Data collection in attacked systems

08.06.2023 —
Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

04.04.2022 —
Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL

03.06.2022 —
Playful Xamarin. Researching and hacking a C# mobile app

21.02.2023 —
Pivoting District: GRE Pivoting over network equipment

29.07.2023 —
Invisible device. Penetrating into a local network with an 'undetectable' hacker gadget