CERT warns of UEFI vulnerabilities in Gigabyte firmware

There are security gaps in the UEFI firmware of numerous Gigabyte mainboards that allow attackers to extend their rights in the system to a very large extent. Gigabyte provides BIOS updates for numerous mainboards that close the gaps.

The CERT is currently issuing a warning about this. The vulnerabilities affect the system management mode (SMM). "Attackers could exploit one or more of these vulnerabilities to elevate their privileges and execute arbitrary code in the SMM environment of a UEFI-supported processor," the CERT summarizes the vulnerabilities. BIOS manufacturer AMI has indicated to CERT that the company has previously patched the vulnerabilities following confidential reports, but that they have now resurfaced in the Gigabyte firmware and have now been made public.

Highly privileged access

UEFI can interact directly with the hardware in System Management Mode, a highly privileged CPU mode intended for basic operating system operations – it is also referred to as ring "-2" within the CPU privilege levels. Instructions in this privilege level run in a protected memory area called System Management RAM (SMRAM) and are only accessible through System Management Interrupts (SMI), CERT explains. The SMI handlers serve as access to the SMM and process transferred data via certain communication buffers. Inadequate checking of these buffers or untrusted pointers from processor status registers can lead to "serious security risks", including SMRAM tampering and unauthorized SMM execution, the CERT explains further. Attackers can abuse the SMI handlers to execute arbitrary code early in the boot process, in recovery modes or before the operating system is fully loaded.

In the individual security bulletins, the IT security researchers point out that code at this point can also bypass SMM-based protection mechanisms of the SPI flash memory against modifications or secure boot as well as some hypervisor-based variants of memory isolation. Code infiltrated in this way can even survive operating system reinstallations. Binarly has now discovered and reported a total of four security vulnerabilities.

One is the unchecked use of the RBX register, which leads to SMRAM write accesses (CVE-2025-7029 / EUVD-2025-21142, CVSS 8.2, risk "high"). Missing checks of function pointer structures derived from RBX and RCX allow attackers to perform critical flash operations such as ReadFlash, WriteFlash, EraseFlash and GetFlashInfo (CVE-2025-7028 / EUVD-2025-21138, CVSS 8.2, risk "high"). In addition, a combination of double pointer dereferencing involving a location for write operations from the unchecked NVRAM variable SetupXtuBufferAddress and writing content from memory areas pointed to by an attacker-controllable pointer from the RBX register allows arbitrary content to be written to SMRAM (CVE-2025-7027 / EUVD-2025-21141, CVSS 8.2, risk "high"). In addition, the attacker-controllable RBX register is used as an unchecked pointer in the CommandRcx0 function, allowing write access to attacker-specifiable areas in SMRAM (CVE-2025-7026 / EUVD-2025-21137, CVSS 8.2, risk "high").

The Binarly security notifications contain a list of at least 80 affected Gigabyte mainboards, some of which are older. A random check shows that Gigabyte has apparently released numerous BIOS updates in June that patch the vulnerabilities.

Last week, problems with AMD's firmware TPM (fTPM) became known, for which AMD has been providing corrections for years. However, various manufacturers are not supplying these corrections with updated BIOS versions.

(dmk)