Secure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
Sources
1 more from sources like eclypsium blog
Related Stories
CISA and NSA Guidance on Managing UEFI Secure Boot to Counter Bootkit Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), has released new guidance urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against persistent bootkit threats. The guidance, published as a Cybersecurity Information Sheet, highlights the risks posed by vulnerabilities such as PKFail, BlackLotus (CVE-2023-24932), and BootHole, which have enabled attackers to bypass Secure Boot protections through misconfigurations, outdated certificates, or the use of test keys. The agencies emphasize that default or neglected Secure Boot settings leave organizations exposed to firmware-level malware that can evade traditional security controls, and recommend routine audits and validation of Secure Boot variables using tools provided by the NSA. The guidance also addresses operational challenges, noting that many enterprises still rely on outdated 2011 Microsoft certificates or have Secure Boot disabled, making them susceptible to both known and emerging threats. Additional real-world examples, such as the HybridPetya ransomware and the Bombshell UEFI shell, underscore the urgency of moving firmware security to the forefront of enterprise cybersecurity policy. Administrators are advised to confirm Secure Boot enforcement, export and analyze configuration variables, and ensure only trusted certificates and hashes are present, thereby strengthening the root of trust and mitigating supply chain and boot-time attack risks.
3 months agoUEFI Motherboard Flaw Enables Early-Boot DMA Attacks and Game Cheat Bypass
A critical vulnerability has been identified in the UEFI firmware of several major motherboard brands, including ASRock, ASUS, MSI, and Gigabyte, which allows attackers to exploit the system during the early boot process via PCIe-connected DMA devices. This flaw enables malicious actors to bypass operating system security controls by taking advantage of the Input-Output Memory Management Unit (IOMMU) not fully initializing upon boot, leaving system RAM exposed to unauthorized access and manipulation. The vulnerability has significant implications for both general system security and the integrity of anti-cheat mechanisms in online games. Riot Games, the developer of *Valorant*, has responded by blocking players who do not update their BIOS with the latest security patches, as the flaw allows sophisticated cheating devices to evade detection by anti-cheat software. Major motherboard vendors have released security updates to address the issue, and users are strongly advised to apply these patches to mitigate the risk of exploitation.
2 months agoHardware-Based Attacks on Secure Enclaves and Embedded Devices
Security researchers have demonstrated new hardware-based techniques to extract sensitive data from devices previously considered secure, including smartwatches and confidential computing servers. In one case, analysts revived the 'Blinkenlights' technique, adapting it to modern TFT screens to extract firmware from a budget smartwatch by exploiting a dial parser vulnerability. This allowed arbitrary memory content to be displayed on the device's screen, which was then captured using a high-speed Raspberry Pi Pico setup. The smartwatch, which contained fake health sensors and used a JieLi AC6958C6 system-on-chip, was found to have weak authentication and a flawed firmware parser, enabling the out-of-bounds read attack. Separately, researchers from KU Leuven University presented a low-cost hardware attack called 'Battering RAM' at Black Hat Europe 2025, which targets secure CPU enclaves such as Intel SGX and AMD SEV. By using a $50 DDR4 interposer, the researchers manipulated memory address mapping at runtime, bypassing firmware mitigations and gaining unauthorized access to encrypted memory. This allowed them to extract platform provisioning keys, forge attestation reports, and implant persistent backdoors on protected virtual machines, raising concerns about the security of cloud infrastructures relying on these technologies.
3 months ago