Crucial safety vulnerabilities have been found in Gigabyte UEFI firmware that would enable attackers to execute arbitrary code in System Administration Mode (SMM), one of the privileged execution environments in fashionable processors.
The vulnerabilities, disclosed by the Software program Engineering Institute’s CERT Coordination Middle on July 11, 2025, have an effect on a number of Gigabyte programs and will allow attackers to bypass basic safety protections, together with Safe Boot and Intel BootGuard.
Key Takeaways1. 4 CVE vulnerabilities in Gigabyte UEFI firmware enable attackers to execute code in privileged System Administration Mode (SMM).2. Exploitation bypasses Safe Boot and Intel BootGuard, enabling persistent firmware-level malware undetectable by antivirus.3. Gigabyte programs weak by way of native/distant admin entry throughout boot, sleep states, or regular operation.4. Verify Gigabyte assist web site and set up newest UEFI firmware updates instantly.
Technical Particulars of the Vulnerabilities
The found vulnerabilities stem from improper validation in SMI (System Administration Interrupt) handlers inside Gigabyte’s UEFI firmware implementations.
4 distinct CVE identifiers have been assigned to those flaws: CVE-2025-7029, CVE-2025-7028, CVE-2025-7027, and CVE-2025-7026.
These vulnerabilities exploit weaknesses in how the firmware handles knowledge validation when processing SMI requests, notably by way of unchecked register utilization and insufficient pointer validation.
CVE-2025-7029 entails unchecked use of the RBX register, permitting attackers to manage OcHeader and OcData pointers utilized in energy and thermal configuration logic, leading to arbitrary SMRAM (System Administration RAM) writes.
CVE-2025-7028 lacks validation of perform pointer buildings derived from RBX and RCX registers, enabling attacker management over vital flash operations, together with ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo features by way of compromised FuncBlock buildings.
CVE-2025-7027 presents a double pointer dereference vulnerability involving reminiscence write operations from an unvalidated NVRAM Variable SetupXtuBufferAddress, whereas CVE-2025-7026 permits attackers to make use of the RBX register as an unchecked pointer throughout the CommandRcx0 perform, enabling writes to attacker-specified reminiscence areas in SMRAM.
The vulnerabilities allow attackers with native or distant administrative privileges to attain code execution at Ring-2 privilege stage, successfully bypassing all working system-level protections, reads the CERT/CC report.
SMM operates under the OS kernel, making these assaults notably harmful as they’ll persist by way of system reboots and stay undetected by conventional endpoint safety options.
Exploitation can happen by way of a number of vectors together with SMI handlers triggered from throughout the working system, or throughout vital system states resembling early boot phases, sleep transitions, or restoration modes earlier than the OS absolutely masses.
Profitable exploitation permits attackers to disable essential UEFI safety mechanisms, creating alternatives for stealthy firmware implants and establishing persistent system management.
The Binarly Analysis workforce responsibly disclosed these vulnerabilities to CERT/CC, with Gigabyte’s PSIRT offering well timed collaboration.
CVE IdentifierDescriptionCVSS 3.1 ScoreSeverityCVE-2025-7029Unchecked RBX register permits arbitrary SMRAM writes by way of OcHeader/OcData pointers9.8CriticalCVE-2025-7028Unvalidated perform pointers enable attacker management over flash operations9.8CriticalCVE-2025-7027Double pointer dereference permits arbitrary SMRAM writes9.8CriticalCVE-2025-7026Unchecked RBX register permits arbitrary SMRAM writes in CommandRcx09.8Critical
Gigabyte has launched up to date firmware to deal with these vulnerabilities and strongly advises customers to go to their assist web site to find out system affect and apply mandatory updates.
In accordance with AMI, the unique firmware provider, these vulnerabilities have been beforehand addressed by way of personal disclosures, but the weak implementations endured in some OEM firmware builds.
Customers ought to instantly examine for firmware updates and monitor vendor advisories, as these provide chain vulnerabilities might have an effect on different PC OEM distributors past Gigabyte.
Examine reside malware habits, hint each step of an assault, and make sooner, smarter safety choices -> Attempt ANY.RUN now
