- Binarly saw a legitimate utility, confident in most modern systems using UEFI firmware, with a defect
- The fault allowed threat actors to implement spoils of booty
- Microsoft was patched by the cumulative update on Tuesday of the June 2025 patch
Microsoft has solved a safe start vulnerability that allowed threat actors to deactivate safety solutions and install Bootkit malware in most PCs.
Binarly security researchers recently discovered a legitimate utility of BIOS update, signed with Microsoft’s UEFI CA certificate. This root certificate, used in the safe starting process of the Unified Extensible Firmware (UEFI), plays a central role in the verification of the authenticity and integrity of the starter loaders, the operating systems and other low -level software before an arrangement system.
According to the researchers, the usefulness in most modern systems that use the UEFI firmware is trusted, but the problem comes from the fact that it reads a NVRAM variable of users without user without adequate validation, which means that an attacker with administrator access to an operating system can modify the variable and write arbitrary data to memory locations during the UEFI start process.
Binarly fixed them to use this vulnerability to disable safe start and allow UEFI modules to be executed. In other words, they could disable security characteristics and install bootkit malware that cannot be removed even if the hard drive is replaced.
The vulnerable module had been circulating in nature since 2022, and was charged to Virustotal in 2024 before being reported to Microsoft at the end of February 2025.
Microsoft recently launched the June Edition of Patch Tuesday, its cumulative update that addresses the different and recently discovered vulnerabilities, among which was the vulnerability of arbitrary writing in the UEFI firmware signed by Microsoft, which is now traced as CVE-2025-3052. He was assigned a gravity score of 8.2/10 (high).
The company also determined that vulnerability affected 14 modules in total, now setting them all.
“During the classification process, Microsoft determined that the problem did not affect only a single module as initially believed, but in reality 14 different modules,” said Binarly. “For this reason, the updated DBX launched during the patch on Tuesday, June 10, 2025 contains 14 new hash.”
Through Bleepingcomputer
