Dozens of Gigabyte motherboard models run on UEFI firmware vulnerable to security issues that allow planting bootkit malware that is invisible to the operating system and can survive reinstalls.
The vulnerabilities could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode (SMM), an environment isolated from the operating system (OS) and with more privileges on the machine.
Mechanisms running code below the OS have low-level hardware access and initiate at boot time. Because of this, malware in these environments can bypass traditional security defenses on the system.
UEFI, or Unified Extensible Firmware Interface, firmware is more secure due to the Secure Boot feature that ensures through cryptographic verifications that a device uses at boot time code that is safe and trusted.
For this reason, UEFI-level malware like bootkits (BlackLotus, CosmicStrand, MosaicAggressor, MoonBounce, LoJax) can deploy malicious code at every boot.
Plenty of motherboards impacted
The four vulnerabilities are in Gigabyte firmware implementations and were discovered by researchers at firmware security company Binarly, who shared their findings with Carnegie Mellon University’s CERT Coordination Center (CERT/CC).
The original firmware supplier is American Megatrends Inc. (AMI), which addressed the issues after a private disclosure but some OEM firmware builds (e.g. Gigabyte’s) did not implement the fixes at the time.
In Gigabyte firmware implementations, Binarly found the following vulnerabilities, all with a high-severity score of 8.2:
- CVE-2025-7029: bug in an SMI handler (OverClockSmiHandler) that can lead to SMM privilege escalation
- CVE-2025-7028: bug in an SMI handler (SmiFlash) gives read/write access to the System Management RAM (SMRAM), which can lead to malware installation
- CVE-2025-7027: can lead to SMM privilege escalation and modifying the firmware by writing arbitrary content to SMRAM
- CVE-2025-7026: allows arbitrary writes to SMRAM and can lead to privilege escalation to SMM and persistent firmware compromise
By our count, there are a little more than 240 motherboard models impacted – including revisions, variants, and region-specific editions, with firmware updated between late 2023 and mid-August 2024.
BleepingComputer reached out to Binarly for an official count and a company representative told us that “over a hundred product lines are affected.”
Products from other enterprise device vendors are also impacted by the four vulnerabilities but their names remain undisclosed until fixes become available.
Binarly researchers notified Carnegie Mellon CERT/CC about the issues on April 15 and Gigabyte confirmed the vulnerabilities on June 12, followed by the release of firmware updates, according to CERT/CC.
However, the OEM has not published a security bulletin about the security problems that Binarly reported. BleepingComputer has emailed the hardware vendor a request for comment but we are still waiting for their response.
Meanwhile, Binarly founder and CEO Alex Matrosov told BleepingComputer that Gigabyte most likely hasn’t released fixes. With many of the products already having reached end-of-life, users should not expect to receive any security updates.
“Because all these four vulnerabilities originated from AMI reference code, AMI disclosed these vulnerabilities a while ago with their silent disclosure to paid customers only under NDA, and it caused significant effects for years on the downstream vendors when they stayed vulnerable and unpatched” – Alex Matrosov
“It seems that Gigabyte has not released any fixes yet, and many of the affected devices have reached end-of-life status, meaning they will likely remain vulnerable indefinitely.”
While the risk for general consumers is admittedly low, those in critical environments can assess the specific risk with Binarly’s Risk Hunt scanner tool, which includes free detection for the four vulnerabilities.
Computers from various OEMs using Gigabyte motherboards may be vulnerable, so users are advised to monitor for firmware updates and apply them promptly.
UPDATE [July 14th, 13:23 EST]: Article updated with comment from Binarly saying that the four vulnerabilities affect more than 100 motherboards, and that products from other vendors are impacted.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
