Many models of Gigabyte motherboards utilize vulnerable UEFI firmware, which allows for the installation of bootkits that are invisible to the operating system.
The vulnerabilities allow attackers with local or remote administrator rights to execute arbitrary code in the context of System Management Mode (SMM), which is isolated from the operating system and possesses higher privileges.
Specialists from Binarly have discovered four vulnerabilities in the firmware of Gigabyte motherboards and have notified CERT/CC about them.
The original firmware supplier is American Megatrends Inc. (AMI). The manufacturer was privately informed about the issues, after which the company fixed the bugs. However, the patches have not yet been implemented in the firmware of certain OEM manufacturers, such as Gigabyte.
In Gigabyte’s implementation, the following bugs were found (all received a CVSS score of 8.2):
- CVE-2025-7029 — a vulnerability in the SMI handler (OverClockSmiHandler) that allows privilege escalation to SMM level;
- CVE-2025-7028 — a bug in the SMI handler (SmiFlash) that provides read and write access to SMRAM, which can be used for malware injection;
- CVE-2025-7027 — privilege escalation in SMM that permits firmware modification by writing arbitrary data to SMRAM;
- CVE-2025-7026 — enables writing to SMRAM, leading to privilege escalation to SMM and persistent infection.
As noted by Bleeping Computer, these issues affect over 240 motherboard models (including different revisions, variations, and regional versions) with firmware released from the end of 2023 to mid-August 2024.
Researchers at Binarly emphasize that hundreds of product lines are at risk. Worse yet, besides Gigabyte, products from other manufacturers are also vulnerable, although their names have not yet been disclosed.
CERT/CC reports that information about the vulnerabilities was provided to Gigabyte on April 15 of this year, and on June 12, the developers confirmed the existence of the issues. After that, the company allegedly released updates, but a public security bulletin has not yet been published.
Meanwhile, the founder and head of Binarly, Alex Matrosov, told reporters that Gigabyte has likely not released any patches at all. Since many of the vulnerable models are no longer supported, updates are probably not to be expected:
“Since all four vulnerabilities originate from the reference AMI code, they were only disclosed by the company to paying clients under a non-disclosure agreement (NDA). This resulted in the vulnerabilities remaining unpatched by OEM manufacturers for years,” explains Matrosov. “It seems that Gigabyte has yet to release patches. Devices that have reached end-of-support are likely to remain vulnerable.”