Many models of Gigabyte motherboards utilize vulnerable UEFI firmware, which allows for the installation of bootkits that are invisible to the operating system.
The vulnerabilities allow attackers with local or remote administrator rights to execute arbitrary code in the context of System Management Mode (SMM), which is isolated from the operating system and possesses higher privileges.
Specialists from Binarly have discovered four vulnerabilities in the firmware of Gigabyte motherboards and have notified CERT/CC about them.
The original firmware supplier is American Megatrends Inc. (AMI). The manufacturer was privately informed about the issues, after which the company fixed the bugs. However, the patches have not yet been implemented in the firmware of certain OEM manufacturers, such as Gigabyte.
In Gigabyte’s implementation, the following bugs were found (all received a CVSS score of 8.2):
- CVE-2025-7029 — a vulnerability in the SMI handler (OverClockSmiHandler) that allows privilege escalation to SMM level;
- CVE-2025-7028 — a bug in the SMI handler (SmiFlash) that provides read and write access to SMRAM, which can be used for malware injection;
- CVE-2025-7027 — privilege escalation in SMM that permits firmware modification by writing arbitrary data to SMRAM;
- CVE-2025-7026 — enables writing to SMRAM, leading to privilege escalation to SMM and persistent infection.
As noted by Bleeping Computer, these issues affect over 240 motherboard models (including different revisions, variations, and regional versions) with firmware released from the end of 2023 to mid-August 2024.
Researchers at Binarly emphasize that hundreds of product lines are at risk. Worse yet, besides Gigabyte, products from other manufacturers are also vulnerable, although their names have not yet been disclosed.
CERT/CC reports that information about the vulnerabilities was provided to Gigabyte on April 15 of this year, and on June 12, the developers confirmed the existence of the issues. After that, the company allegedly released updates, but a public security bulletin has not yet been published.
Meanwhile, the founder and head of Binarly, Alex Matrosov, told reporters that Gigabyte has likely not released any patches at all. Since many of the vulnerable models are no longer supported, updates are probably not to be expected:
“Since all four vulnerabilities originate from the reference AMI code, they were only disclosed by the company to paying clients under a non-disclosure agreement (NDA). This resulted in the vulnerabilities remaining unpatched by OEM manufacturers for years,” explains Matrosov. “It seems that Gigabyte has yet to release patches. Devices that have reached end-of-support are likely to remain vulnerable.”
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →