A Microsoft-signed firmware module has been discovered to bypass Secure Boot, potentially allowing attackers to silently disable this critical security feature on a wide range of Windows laptops and servers. This vulnerability, disclosed in June 2025, poses a significant threat despite requiring administrative and physical access to the targeted machine.
The vulnerability resides in the Unified Extensible Firmware Interface (UEFI), the industry standard for hardware initialization during computer startup. UEFI operates before the operating system, making it a prime target for attackers seeking to compromise systems before OS-level security defenses are loaded. Researchers have increasingly focused on UEFI vulnerabilities, as demonstrated by a previous discovery of a serious Secure Boot bypass flaw.
Binarly researchers identified the flawed module on Virus Total in November 2024. The module, reportedly developed by a vendor specializing in rugged displays for public environments like airports, contained a vulnerability tracked as CVE-2025-3052. This vulnerability stems from a UEFI memory corruption issue. Armed with a Microsoft third-party certificate, the module could allow attackers to overwrite a critical variable used to enforce Secure Boot, a UEFI security feature designed to prevent malicious software from loading at the same level as the operating system.
The Binarly research team discovered that the module reads the UEFI `IhisiParamBuffer` variable and uses it as a pointer for multiple memory write operations without any validation or sanity checks. This lack of validation allows an attacker to set the `IhisiParamBuffer` variable to an arbitrary address in memory, granting them arbitrary memory write capabilities.
The `IhisiParamBuffer` variable is stored in non-volatile RAM (NVRAM), which is used to store variables that need to persist between boots. NVRAM variables have historically been a recurrent source of security vulnerabilities. A 2017 WikiLeaks publication detailed CIA penetration techniques, revealing that the agency targeted NVRAM to gain control over system booting.
While some UEFI distributions are immune to this specific attack because they treat the `IhisiParamBuffer` variable as read-only, Binarly stated that the vast majority of systems are potentially at risk. Further investigation revealed that the module may have been circulating online since October 2022.
A successful exploit of this vulnerability could leave the operating system behaving as if Secure Boot is enabled, even when it is not, creating a deceptive security posture. Upon being notified by Binarly, Microsoft discovered an additional 13 firmware modules with the same flaw. In response, Microsoft revoked the certificate for all 14 modules as part of its June Patch Tuesday update.
Prajeet Nair, Assistant Editor at ISMG, contributed to this report. Nair has over a decade of experience covering cybersecurity and OT developments and has held editorial roles at various news organizations.
In summary, the discovery of a Microsoft-signed firmware module capable of bypassing Secure Boot highlights the ongoing challenges in maintaining the integrity of the UEFI firmware. The vulnerability, CVE-2025-3052, allows for the silent disabling of Secure Boot by exploiting a memory corruption flaw. Although the attack requires administrative and physical access, its potential impact on a wide range of Windows systems is significant. Microsoft’s response, which included revoking the certificates for all affected modules, is a crucial step in mitigating this threat. However, the incident underscores the need for continuous vigilance and robust security measures in the UEFI firmware ecosystem.
The vulnerability allows attackers to silently disable Secure Boot, a critical security feature designed to prevent malicious software from loading during the boot process. This bypass can occur without the user’s knowledge, leaving the operating system vulnerable to malware and other threats.
While the attack requires admin access and physical access to the target machine, the potential impact is significant. An attacker with these privileges could exploit the vulnerability to install persistent malware or compromise the system’s security in other ways.
Microsoft issued a patch in June 2025 to address the vulnerability. This patch revokes the certificates for the affected modules, preventing them from being used to bypass Secure Boot.
The vulnerability is located in the Unified Extensible Firmware Interface (UEFI), which is responsible for initializing hardware during the boot process. UEFI vulnerabilities are particularly concerning because they can be exploited before the operating system even starts, making them difficult to detect and prevent.
Binarly researchers discovered the flawed module on Virus Total in November 2024. This discovery highlights the importance of threat intelligence and the role of platforms like Virus Total in identifying potentially malicious software.
The module was developed by a vendor of rugged displays, suggesting that the vulnerability may be present in a range of devices used in industrial and public settings. This underscores the need for security to be a priority throughout the supply chain.
The flaw is tracked as CVE-2025-3052 and stems from a UEFI memory corruption vulnerability. This CVE identifier allows security professionals to track and remediate the vulnerability effectively.
The module, which was signed with a Microsoft certificate, allows an attacker to overwrite a key variable for Secure Boot. This ability to modify critical system settings is what makes the vulnerability so dangerous.
The module reads the UEFI `IhisiParamBuffer` variable and uses it as a pointer for memory write operations without validation. This lack of validation is the root cause of the memory corruption vulnerability.
Attackers can set the `IhisiParamBuffer` variable to an arbitrary memory address, allowing them to write to any location in memory. This arbitrary memory write capability can be used to disable Secure Boot or perform other malicious actions.
Some UEFI distributions are immune because they treat the `IhisiParamBuffer` variable as read-only. This demonstrates that certain security configurations can mitigate the risk of this vulnerability.
The module may have circulated online since October 2022, indicating that the vulnerability has been present for a significant amount of time. This underscores the importance of regular security updates and vulnerability scanning.
The operating system may behave as if Secure Boot is enabled even when it is not, making it difficult for users to detect the compromise. This deceptive behavior can allow attackers to maintain persistence on the system without being detected.
Microsoft found 13 additional firmware modules with the same flaw, highlighting the widespread nature of the vulnerability. This discovery underscores the need for thorough security audits of firmware and other low-level software.
Microsoft revoked the certificate for all 14 modules in the June Patch Tuesday update. This revocation prevents the modules from being used to bypass Secure Boot, effectively mitigating the risk of the vulnerability.
The discovery and remediation of this Secure Boot bypass vulnerability highlight the ongoing challenges in securing modern computer systems. Firmware vulnerabilities are particularly concerning because they can be difficult to detect and prevent. Organizations must prioritize security throughout the supply chain and implement robust security measures to protect against these types of attacks. Regular security updates, vulnerability scanning, and threat intelligence are essential for mitigating the risk of firmware vulnerabilities and maintaining a secure computing environment.
The incident serves as a reminder of the importance of layered security and the need to address vulnerabilities at all levels of the system, from the firmware to the operating system and applications. By taking a comprehensive approach to security, organizations can reduce their risk of compromise and protect their critical assets.
The discovery of this vulnerability and Microsoft’s response also underscore the importance of collaboration between security researchers and vendors. By working together, they can identify and remediate vulnerabilities more quickly and effectively, improving the overall security of the computing ecosystem.
The incident also raises questions about the security of third-party certificates and the processes used to validate them. Microsoft’s revocation of the certificates for the affected modules is a necessary step, but it also highlights the potential for abuse and the need for stronger controls over the issuance and management of certificates.
