Many models of Gigabyte motherboards utilize vulnerable UEFI firmware, which allows for the installation of bootkits that are invisible to the operating system.
The vulnerabilities allow attackers with local or remote administrator rights to execute arbitrary code in the context of System Management Mode (SMM), which is isolated from the operating system and possesses higher privileges.
Specialists from Binarly have discovered four vulnerabilities in the firmware of Gigabyte motherboards and have notified CERT/CC about them.
The original firmware supplier is American Megatrends Inc. (AMI). The manufacturer was privately informed about the issues, after which the company fixed the bugs. However, the patches have not yet been implemented in the firmware of certain OEM manufacturers, such as Gigabyte.
In Gigabyte’s implementation, the following bugs were found (all received a CVSS score of 8.2):
- CVE-2025-7029 — a vulnerability in the SMI handler (OverClockSmiHandler) that allows privilege escalation to SMM level;
- CVE-2025-7028 — a bug in the SMI handler (SmiFlash) that provides read and write access to SMRAM, which can be used for malware injection;
- CVE-2025-7027 — privilege escalation in SMM that permits firmware modification by writing arbitrary data to SMRAM;
- CVE-2025-7026 — enables writing to SMRAM, leading to privilege escalation to SMM and persistent infection.
As noted by Bleeping Computer, these issues affect over 240 motherboard models (including different revisions, variations, and regional versions) with firmware released from the end of 2023 to mid-August 2024.
Researchers at Binarly emphasize that hundreds of product lines are at risk. Worse yet, besides Gigabyte, products from other manufacturers are also vulnerable, although their names have not yet been disclosed.
CERT/CC reports that information about the vulnerabilities was provided to Gigabyte on April 15 of this year, and on June 12, the developers confirmed the existence of the issues. After that, the company allegedly released updates, but a public security bulletin has not yet been published.
Meanwhile, the founder and head of Binarly, Alex Matrosov, told reporters that Gigabyte has likely not released any patches at all. Since many of the vulnerable models are no longer supported, updates are probably not to be expected:
“Since all four vulnerabilities originate from the reference AMI code, they were only disclosed by the company to paying clients under a non-disclosure agreement (NDA). This resulted in the vulnerabilities remaining unpatched by OEM manufacturers for years,” explains Matrosov. “It seems that Gigabyte has yet to release patches. Devices that have reached end-of-support are likely to remain vulnerable.”
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →