Security experts have found many serious flaws in the UEFI firmware on Gigabyte’s mainboard, potentially allowing hackers to hack bootiters that bypass the Secure Boot protection, operate under the operating system, and remain permanently active even after the system is reinstalled.

1752574525036.png

Could be hijacked at the highest level.

These vulnerabilities affect the System Management Mode (SMM) – a system management mode deep within the UEFI architecture that has greater access than even the operating system. If exploited successfully, the hacker can execute the malicious code directly in the SMM, thereby writing arbitrary data into the STMRAM memory, disabling Secure Boot and even installing an implant firmware (a malicious code at the system software level) as a bootkit, similar to the well-known BlackLotus, CosmicStrand malicious code.

The vulnerabilities have been assigned codes from CVE-2025-7026 to CVC-2205-29 and were all assessed for severity (CVSS 8.2). The results show that the vulnerability is not associated with a high level of risk (CCR). Specifically:

  • CVE-2025-7026: Allows arbitrary writing to SMRAM, leading to escalation of privileges and gaining firmware control.
  • CVE-2025-7027: Allows writing of data to SMRAM, which can lead to malicious firmware editing.
  • CVE-2025-7028: Error in SmiFlash processor, allowing hackers to read/write SMRAM to install bootkit.
  • CVE-2025-7029: Error in OverClockSmiHandler processor, allowing privilege escalation in SMM.

Gigabyte – wide impact

It was initially confirmed that over 240 Gigabyte model motherboards were affected. However, according to the July 14 update, these vulnerabilities actually affected over 100 mainboard models from various manufacturers, not only Gigabyte, because of the use of firmware from American Megatrends Inc.. (AMI).

Notably, AMI has quietly released patches as NDAs but Gigabyte’s firmware has yet to incorporate these fixes.

Gigabyte speaks up, but not fully.

After the information was made public, Gigabyte released a security bulletin on July 15, however only mentioning three of the four vulnerabilities that Binarly discovered. A vulnerability has yet to be made public or patched, raising concerns about potential backdoor buildup in the device.

In addition, the majority of affected boards have run out of support life (EOL), leaving the ability to receive official patches from the manufacturer near zero.

In the face of this situation, users, especially those operating in critical infrastructure environments, need to:

  • Proactively check the model of the motherboard in use
  • Track firmware updates from Gigabyte and related OEMs

This incident further highlighted the potential danger from the UEFI firmware, which has the deepest access on the device but is often ignored during security. With the ability to overcome both Secure Boot and long-term persistence, UEFI malicious code such as bootkit is becoming a real threat to both personal users and business systems. Firmware updates and regular checks are essential to protect your device from low – level attacks like this.

According to Bleeping Computer