Secure Boot? Not so “secure” — your PC treacherously opens the door to hackers even before booting up.
Microsoft signed the death warrant of your security — and didn’t even notice.
Nearly all modern computers with Secure Boot enabled have been put at risk due to a critical vulnerability, CVE-2025-3052, that allows complete deactivation of the boot protection and the injection of malicious code even before the operating system starts. The discovery was made by researcher Alex Matrosov of Binarly, who identified the issue while analyzing a Microsoft-signed BIOS utility designed for firmware updates on secured tablets.
The key risk factor lies in the Microsoft UEFI CA 2011 signature — this root certificate is trusted on virtually all systems with UEFI and Secure Boot. Although the utility was intended for specific devices, thanks to this signature it can run on any modern hardware, effectively opening the gates for attacks.
Research revealed that the vulnerable component has been circulating in the wild at least since the end of 2022. One instance of it was uploaded to VirusTotal in 2024, after which it was discovered by Binarly specialists. The initial notification of the issue was sent to CERT/CC on February 26, 2025, and the fix was included in Microsoft’s June update on June 11.
However, the scope turned out to be more severe than initially thought. Instead of a single component, as first assumed, 14 modules turned out to be vulnerable. All of them have now been added to the Secure Boot certificate revocation list (dbx), which was updated on the same day along with Microsoft’s monthly security update.
The core of the vulnerability lies in how the BIOS utility interacts with the IhisiParamBuffer variable, which is written to non-volatile memory (NVRAM). The lack of validation allows an attacker with administrator rights to modify UEFI behavior even before the kernel or the operating system itself loads. Binarly succeeded in creating a working exploit that resets the gSecurity2 variable — a structure that points to the Security2 protocol, which controls the Secure Boot mechanism.
Once Secure Boot is disabled, it becomes possible to load any unsigned UEFI modules, including malicious bootloaders — so-called bootkits, which operate at a level beyond the reach of antivirus software and the operating system. This gives attackers complete control over the device and the ability to disable other security mechanisms.
To neutralize the threat, Microsoft has released an updated dbx file, which should be installed immediately on all vulnerable systems. This applies to both home PCs and server solutions that use UEFI and trust the Microsoft UEFI CA 2011 certificate.
Binarly also published a video demonstrating how their PoC exploit disables Secure Boot and allows an arbitrary message to be displayed even before the operating system starts.
Notably, on the same day, another Secure Boot vulnerability was disclosed. It was named Hydroph0bia and is tracked as CVE-2025-4275. This was discovered by Nikolay Schley in Insyde H2O-based firmware. This flaw also allowed bypassing Secure Boot and was fixed 90 days after the report was submitted to Insyde.
