Vulnerable firmware for Gigabyte motherboards could allow bootkit installation

UEFI firmware running on 100+ Gigabyte motherboard models is affected by memory corruption vulnerabilities that may allow attackers to install persistent and difficult-to-detect bootkits (i.e., malware designed to infect the computer’s boot process).

“While AMI (the original firmware supplier) has indicated that these vulnerabilities were previously addressed, they have resurfaced in Gigabyte [OEM firmware builds] and are now being publicly disclosed,” Carnegie Mellon University’s CERT Coordination Center (CERT/CC) has warned on Friday.

The Gigabyte UEFI vulnerabilities

The four vulnerabilities, reported by the Binarly REsearch team, affect the System Management Mode (SMM) module in Gigabyte motherboards, which is used for handling low-level system operations and is, therefore, highly privileged.

“SMM operations are executed within a protected memory region called System Management RAM (SMRAM) and are only accessible through System Management Interrupt (SMI) handlers,” CERT/CC explained.

The vulnerabilities – CVE-2025-7029, CVE-2025-7028, CVE-2025-7027, CVE-2025-7026 – can be used write attacker-specified content to SMRAM.

“SMI handlers act as a gateway to SMM and process data passed via specific communication buffers. Improper validation of these buffers or untrusted pointers from CPU save state registers can lead to serious security risks, including SMRAM corruption and unauthorized SMM execution. These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes—before the OS fully loads,” the Coordination Center noted.

UEFI security mechanisms – e.g., Secure Boot, Intel BootGuard – would be powerless to stop the implantation of bootkits, and EDR solutions are unlikely to spot them or mitigate the problem.

Update, if you can

Since the public disclosure of the vulnerabilities, Gigabyte has confirmed that they’ve addresed three of the four flaws.

“These vulnerabilities exist only on older Intel platforms where the affected SMM modules are implemented. Newer platforms are not impacted,” the company said, and advised customers to check whether the plaftorm they use is among the affected and to update their firmware.

Unfortunately, some the affected platforms are no longer supported, and security updates will not be made available. Thus, as Binarly CEO Alex Matrosov noted, these devices “will likely remain vulnerable indefinitely”.

“Firmware vulnerabilities like these represent a nightmare scenario—persistent, hard-to-detect control that bypasses virtually all OS-level defenses. It’s the ultimate ‘ghost in the machine’ scenario: compromise at the hardware layer that operates below the OS’s visibility and exploits a space inherently trusted by the system,” Gunter Ollmann, CTO at Cobalt, told Help Net Security.

“This evolution in attacker tactics reinforces the need for security testing that spans every layer of the stack. Organizations should incorporate firmware-level targets into their pentesting programs and ensure their red teams have the expertise to probe the deepest layers of system architecture.”

These specific vulnerabilities were initially fixed by American Megatrends Incorporated (AMI) and the fact was shared (under a non-disclosure agreement) with downstream partners, which means that other OEM vendors might have failed to address them.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!