Many models of Gigabyte motherboards utilize vulnerable UEFI firmware, which allows for the installation of bootkits that are invisible to the operating system.
The vulnerabilities allow attackers with local or remote administrator rights to execute arbitrary code in the context of System Management Mode (SMM), which is isolated from the operating system and possesses higher privileges.
Specialists from Binarly have discovered four vulnerabilities in the firmware of Gigabyte motherboards and have notified CERT/CC about them.
The original firmware supplier is American Megatrends Inc. (AMI). The manufacturer was privately informed about the issues, after which the company fixed the bugs. However, the patches have not yet been implemented in the firmware of certain OEM manufacturers, such as Gigabyte.
In Gigabyte’s implementation, the following bugs were found (all received a CVSS score of 8.2):
- CVE-2025-7029 — a vulnerability in the SMI handler (OverClockSmiHandler) that allows privilege escalation to SMM level;
- CVE-2025-7028 — a bug in the SMI handler (SmiFlash) that provides read and write access to SMRAM, which can be used for malware injection;
- CVE-2025-7027 — privilege escalation in SMM that permits firmware modification by writing arbitrary data to SMRAM;
- CVE-2025-7026 — enables writing to SMRAM, leading to privilege escalation to SMM and persistent infection.
As noted by Bleeping Computer, these issues affect over 240 motherboard models (including different revisions, variations, and regional versions) with firmware released from the end of 2023 to mid-August 2024.
Researchers at Binarly emphasize that hundreds of product lines are at risk. Worse yet, besides Gigabyte, products from other manufacturers are also vulnerable, although their names have not yet been disclosed.
CERT/CC reports that information about the vulnerabilities was provided to Gigabyte on April 15 of this year, and on June 12, the developers confirmed the existence of the issues. After that, the company allegedly released updates, but a public security bulletin has not yet been published.
Meanwhile, the founder and head of Binarly, Alex Matrosov, told reporters that Gigabyte has likely not released any patches at all. Since many of the vulnerable models are no longer supported, updates are probably not to be expected:
“Since all four vulnerabilities originate from the reference AMI code, they were only disclosed by the company to paying clients under a non-disclosure agreement (NDA). This resulted in the vulnerabilities remaining unpatched by OEM manufacturers for years,” explains Matrosov. “It seems that Gigabyte has yet to release patches. Devices that have reached end-of-support are likely to remain vulnerable.”
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →