Skip to content
A skeleton key for hackers

Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them.

The publicly available exploits provide a near-universal way to bypass key protections.

Dan Goodin | 42
Credit: Getty Images
Credit: Getty Images
Story text

Researchers have unearthed two publicly available exploits that completely evade protections offered by Secure Boot, the industry-wide mechanism for ensuring devices load only secure operating system images during the boot-up process. Microsoft is taking action to block one exploit and allowing the other one to remain a viable threat.

As part of Tuesday’s monthly security update routine, Microsoft patched CVE-2025-3052, a Secure Boot bypass vulnerability affecting more than 50 device makers. More than a dozen modules that allow devices from these manufacturers to run on Linux allow an attacker with physical access to turn off Secure Boot and, from there, go on to install malware that runs before the operating system loads. Such “evil maid” attacks are precisely the threat Secure Boot is designed to prevent. The vulnerability can also be exploited remotely to make infections stealthier and more powerful if an attacker has already gained administrative control of a machine.

A single point of failure

The underlying cause of the vulnerability is a critical vulnerability in a tool used to flash firmware images on the motherboards of devices sold by DT Research, a manufacturer of rugged mobile devices. It has been available on VirusTotal since last year and was digitally signed in 2022, an indication it has been available through other channels since at least that earlier date.

Although the module was intended to run on DT Research devices only, most machines running either Windows or Linux will execute it during the boot-up process. That’s because the module is authenticated by “Microsoft Corporation UEFI CA 2011,” a cryptographic certificate that’s signed by Microsoft and comes preinstalled on affected machines. The purpose of the certificate is to authenticate so-called shims for loading Linux. Manufacturers install it on their devices to ensure they’re compatible with Linux. The patch Microsoft released Tuesday adds cryptographic hashes for 14 separate variants of the DT Research tool to a block list stored in the DBX, a database listing signed modules that have been revoked or are otherwise untrusted.

“This discovery underscores how a single vendor misstep can ripple across the entire UEFI supply chain, and why forward-leaning orgs are investing in continuous binary-level scanning and rapid dbx rollouts instead of relying on the once-a-year ‘secure-BIOS-update’ ritual,” said Alex Matrosov, CEO and founder of Binarly, the security firm that discovered the Secure Boot exploit. UEFI is short for Unified Extensible Firmware Interface, the motherboard-resident firmware that replaced the BIOS.

Binarly assigned a severity rating of 8.2 out of a possible 10 to CVE-2025-3052. Microsoft’s rating is 6.7. The vulnerability also received a patch on Tuesday from Red Hat and other distributors of Linux operating systems.

Introduced more than a decade ago by a consortium of companies, Secure Boot uses public-key cryptography to block the loading of any code during the boot-up process that isn’t signed with a pre-approved digital signature. It establishes a chain of trust between the hardware and software or firmware that boots up a device. Each link in this chain must be digitally signed with a certificate authorized by the device manufacturer. Microsoft requires it to be on by default. Some certification programs mandated by various governments also require Secure Boot protections to be in place.

But wait, there’s more

The second publicly available Secure Boot exploit was discovered by researcher Zack Didcott. As he reported earlier this month, CVE-2025-47827 stems from IGEL, a Linux kernel module for handling their proprietary logical volume management. The initial shim, which loads GRUB and the vulnerable kernel, is signed by Microsoft.

Attackers with even brief physical access to a device can boot it up in IGEL and then modify the boot loader to install malware. Didcott said he reported the vulnerability to Microsoft and has received no indication the company has plans to revoke the signature. Microsoft didn’t respond to emails seeking confirmation and the reason for its decision.

Researchers at Eclypsium, a firm specializing in firmware security, said the module provides a near-universal means for bypassing Secure Boot protections.

“Because Microsoft’s 3rd Party UEFI CA is trusted by almost all PC-like devices, an unrevoked vulnerability in any of the components verified with that key… allows you to break Secure Boot to load an untrusted OS,” one of the researchers, Jesse Michael, wrote in an email. “Any system that trusts the Microsoft 3rd Party UEFI CA will load and run their version of the shim, which has been signed by that key. Their shim will then use its own embedded key to verify the IGEL-signed kernel+initramfs and malicious rootfs, which can be modified to chain-load another operating system such as Windows or a different version of Linux.”

Aside from installing patches issued by Microsoft and others, there isn’t much users can do to shore up Secure Boot protection. Of course, people can take extra precautions to physically secure their devices, but the entire point of Secure Boot is to minimize threats stemming from evil maid scenarios.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
42 Comments
Staff Picks
Zack Didcott
Zack Didcott
Zack Didcott may have done the right thing here, but all we know is that it was publicly disclosed less than 2 weeks ago, with little indication of the timeline.

The CVE was assigned about a month ago. If that's the timeline for the private disclosure, that's not enough time for responsible disclosure.

In any case, the timeline disparity between these two cases is pretty critical to contextualizing why Microsoft is "patching only 1 of them".
Great point, thanks! I have since added the disclosure dates to the GitHub repository:
Both IGEL and Microsoft were contacted and made aware of this vulnerability, on 6th December 2024 and 31st March 2025 respectively, before details were made public on 29th May 2025.
Unfortunately, it was a long process to communicate the extent of the vulnerability, and for it to pick up any traction. I coordinated with the vendor and agreed on public disclosure dates, before sharing any details.

Microsoft also dismissed the report after about a week, as they believed it was not their responsibility, due to the vulnerability existing within the igel-flash-driver, rather than the shim signed by them.

As others have mentioned, this highlights the current state of Secure Boot; while it can be an effective gatekeeper, users should be wary of who/what they are implicitly trusting. If not needed, the Microsoft 3rd Party UEFI CA should be distrusted. For Linux users, I also recommend generating and enrolling your own keys, to sign a unified kernel image. These can be generated automatically after a system upgrade.
Prev story
Next story