Many models of Gigabyte motherboards utilize vulnerable UEFI firmware, which allows for the installation of bootkits that are invisible to the operating system.
The vulnerabilities allow attackers with local or remote administrator rights to execute arbitrary code in the context of System Management Mode (SMM), which is isolated from the operating system and possesses higher privileges.
Specialists from Binarly have discovered four vulnerabilities in the firmware of Gigabyte motherboards and have notified CERT/CC about them.
The original firmware supplier is American Megatrends Inc. (AMI). The manufacturer was privately informed about the issues, after which the company fixed the bugs. However, the patches have not yet been implemented in the firmware of certain OEM manufacturers, such as Gigabyte.
In Gigabyte’s implementation, the following bugs were found (all received a CVSS score of 8.2):
- CVE-2025-7029 — a vulnerability in the SMI handler (OverClockSmiHandler) that allows privilege escalation to SMM level;
- CVE-2025-7028 — a bug in the SMI handler (SmiFlash) that provides read and write access to SMRAM, which can be used for malware injection;
- CVE-2025-7027 — privilege escalation in SMM that permits firmware modification by writing arbitrary data to SMRAM;
- CVE-2025-7026 — enables writing to SMRAM, leading to privilege escalation to SMM and persistent infection.
As noted by Bleeping Computer, these issues affect over 240 motherboard models (including different revisions, variations, and regional versions) with firmware released from the end of 2023 to mid-August 2024.
Researchers at Binarly emphasize that hundreds of product lines are at risk. Worse yet, besides Gigabyte, products from other manufacturers are also vulnerable, although their names have not yet been disclosed.
CERT/CC reports that information about the vulnerabilities was provided to Gigabyte on April 15 of this year, and on June 12, the developers confirmed the existence of the issues. After that, the company allegedly released updates, but a public security bulletin has not yet been published.
Meanwhile, the founder and head of Binarly, Alex Matrosov, told reporters that Gigabyte has likely not released any patches at all. Since many of the vulnerable models are no longer supported, updates are probably not to be expected:
“Since all four vulnerabilities originate from the reference AMI code, they were only disclosed by the company to paying clients under a non-disclosure agreement (NDA). This resulted in the vulnerabilities remaining unpatched by OEM manufacturers for years,” explains Matrosov. “It seems that Gigabyte has yet to release patches. Devices that have reached end-of-support are likely to remain vulnerable.”
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →