Gigabyte UEFI Firmware Vulnerability Allows Code Execution in SMM Privileged Mode
Critical security vulnerabilities in Gigabyte motherboard firmware have been disclosed that allow attackers to execute arbitrary code in System Management Mode (SMM), the most privileged execution level on x86 processors.
The flaws, identified by security researchers at Binarly REsearch, affect multiple Gigabyte motherboard models and stem from improper validation of System Management Interrupt (SMI) handlers in UEFI firmware modules.
Technical Overview of the Vulnerabilities
The four vulnerabilities exploit weaknesses in how Gigabyte’s UEFI firmware handles data passed through SMI communication buffers.
System Management Mode operates at ring -2 privilege level, below the operating system kernel, making it an attractive target for attackers seeking to establish persistent, undetectable malware that can survive OS reinstallation and bypass security mechanisms like Secure Boot.
| CVE ID | Vulnerable Component | Attack Vector | Impact |
| CVE-2025-7029 | Power/Thermal Config | Unchecked RBX register pointer | Arbitrary SMRAM writes via OcHeader/OcData manipulation |
| CVE-2025-7028 | Flash Service SMM | Function pointer corruption | Control over flash operations (Read/Write/Erase/GetInfo) |
| CVE-2025-7027 | NVRAM Service SMM | Double pointer dereference | Arbitrary SMRAM writes via SetupXtuBufferAddress variable |
| CVE-2025-7026 | Power Management SMM | Unchecked RBX pointer in CommandRcx0 | Write to attacker-specified SMRAM locations |
An attacker with administrative privileges on a system can exploit these vulnerabilities by manipulating CPU registers before triggering System Management Interrupts.
The flaws allow writing arbitrary data to System Management RAM (SMRAM), a protected memory region that should be inaccessible to normal software.
Successful exploitation enables attackers to disable critical firmware security features, install persistent bootkits that survive disk formatting, and maintain system control even after complete OS reinstallation.
The vulnerabilities can be triggered during various system states, including early boot phases, sleep transitions, and recovery modes.
Notably, these vulnerabilities were previously addressed by American Megatrends International (AMI), the original firmware supplier, through private security disclosures.
However, the fixes never propagated to Gigabyte’s downstream firmware builds, highlighting critical gaps in the firmware supply chain.
This incident demonstrates how security patches can fail to reach end-users when OEM vendors don’t maintain synchronized update processes with upstream suppliers.
Gigabyte has acknowledged the vulnerabilities and released firmware updates through its support website.
The company’s Product Security Incident Response Team (PSIRT) collaborated with researchers during the coordinated disclosure process.
Users are strongly advised to immediately check Gigabyte’s support portal for their specific motherboard model and apply available firmware updates.
The disclosure was coordinated through CERT/CC, with Binarly REsearch credited for the responsible disclosure.
Organizations should implement firmware update policies as part of their vulnerability management programs, as these low-level vulnerabilities can undermine all higher-level security controls.
Regular firmware updates should be treated with the same urgency as operating system patches, given their potential for system-wide compromise.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link
