Gigabyte motherboards vulnerable to UEFI malware bypassing Secure Boot

Dozens of Gigabyte motherboard models run on UEFI firmware vulnerable to security issues that allow planting bootkit malware that is invisible to the operating system and can survive reinstalls.

The vulnerabilities could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode (SMM), an environment isolated from the operating system (OS) and with more privileges on the machine.

Mechanisms running code below the OS have low-level hardware access and initiate at boot time. Because of this, malware in these environments can bypass traditional security defenses on the system.

UEFI, or Unified Extensible Firmware Interface, firmware is more secure due to the Secure Boot feature that ensures through cryptographic verifications that a device uses at boot time code that is safe and trusted.

For this reason, UEFI-level malware like bootkits (BlackLotus, CosmicStrand, MosaicAggressor, MoonBounce, LoJax) can deploy malicious code at every boot.

Plenty of motherboards impacted

The four vulnerabilities are in Gigabyte firmware implementations and were discovered by researchers at firmware security company Binarly, who shared their findings with Carnegie Mellon University’s CERT Coordination Center (CERT/CC).

The original firmware supplier is American Megatrends Inc. (AMI), which addressed the issues after a private disclosure but some OEM firmware builds (e.g. Gigabyte’s) did not implement the fixes at the time.

In Gigabyte firmware implementations, Binarly found the following vulnerabilities, all with a high-severity score of 8.2:

• CVE-2025-7029: bug in an SMI handler (OverClockSmiHandler) that can lead to SMM privilege escalation
• CVE-2025-7028: bug in an SMI handler (SmiFlash) gives read/write access to the System Management RAM (SMRAM), which can lead to malware installation
• CVE-2025-7027: can lead to SMM privilege escalation and modifying the firmware by writing arbitrary content to SMRAM
• CVE-2025-7026: allows arbitrary writes to SMRAM and can lead to privilege escalation to SMM and persistent firmware compromise

By our count, there are a little more than 240 motherboard models impacted – including revisions, variants, and region-specific editions, with firmware updated between late 2023 and mid-August 2024. However, BleepingComputer reached out to Binarly for an official count and will update the article with the accurate number.

Binarly researchers notified Carnegie Mellon CERT/CC about the issues on April 15 and Gigabyte confirmed the vulnerabilities on June 12, followed by the release of firmware updates, according to CERT/CC.

However, the OEM has not published a security bulletin about the security problems that Binarly reported. BleepingComputer has emailed the hardware vendor a request for comment but we are still waiting for their response.

Meanwhile, Binarly founder and CEO Alex Matrosov told BleepingComputer that Gigabyte most likely hasn’t released fixes. With many of the products already having reached end-of-life, users should not expect to receive any security updates.

“It seems that Gigabyte has not released any fixes yet, and many of the affected devices have reached end-of-life status, meaning they will likely remain vulnerable indefinitely.”

While the risk for general consumers is admittedly low, those in critical environments can assess the specific risk with Binarly’s Risk Hunt scanner tool, which includes free detection for the four vulnerabilities.

Computers from various OEMs using Gigabyte motherboards may be vulnerable, so users are advised to monitor for firmware updates and apply them promptly.