Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them. arstechnica.com/security/…
Researchers have unearthed two publicly available exploits that completely evade protections offered by Secure Boot, the industry-wide mechanism for ensuring devices load only secure operating system images during the boot-up process. Microsoft is taking action to block one exploit and allowing the other one to remain a viable threat.
As part of Tuesday’s monthly security update routine, Microsoft patched CVE-2025-3052, a Secure Boot bypass vulnerability affecting more than 50 device makers. More than a dozen modules that allow devices from these manufacturers to run on Linux allow an attacker with physical access to turn off Secure Boot and, from there, go on to install malware that runs before the operating system loads. Such “evil maid” attacks are precisely the threat Secure Boot is designed to prevent. The vulnerability can also be exploited remotely to make infections stealthier and more powerful if an attacker has already gained administrative control of a machine.
The second publicly available Secure Boot exploit was discovered by researcher Zack Didcott. As he reported earlier this month, CVE-2025-47827 stems from IGEL, a Linux kernel module for handling their proprietary logical volume management. The initial shim, which loads GRUB and the vulnerable kernel, is signed by Microsoft.
Attackers with even brief physical access to a device can boot it up in IGEL and then modify the boot loader to install malware. Didcott said he reported the vulnerability to Microsoft and has received no indication the company has plans to revoke the signature. Microsoft didn’t respond to emails seeking confirmation and the reason for its decision.
Researchers at Eclypsium, a firm specializing in firmware security, said the module provides a near-universal means for bypassing Secure Boot protections.
“Because Microsoft’s 3rd Party UEFI CA is trusted by almost all PC-like devices, an unrevoked vulnerability in any of the components verified with that key… allows you to break Secure Boot to load an untrusted OS,” one of the researchers, Jesse Michael, wrote in an email. “Any system that trusts the Microsoft 3rd Party UEFI CA will load and run their version of the shim, which has been signed by that key. Their shim will then use its own embedded key to verify the IGEL-signed kernel+initramfs and malicious rootfs, which can be modified to chain-load another operating system such as Windows or a different version of Linux.”