Microsoft patches Secure Boot flaw, but second exploit lurks

Microsoft released patches Tuesday for a vulnerability that allows attackers to bypass Secure Boot protections on most modern computers, but a second exploit targeting a different firmware remains unaddressed, leaving millions of devices potentially vulnerable to bootkit malware.

The software giant fixed CVE-2025-3052 as part of its June Patch Tuesday by adding 14 compromised module hashes to Secure Boot's revocation database, according to security firm Binarly. The flaw affects nearly every system that trusts Microsoft's "UEFI CA 2011" certificate, which includes most hardware supporting Secure Boot protections.

Curated by

katemccarthy

3 min read

Published

3,828

BleepingComputer

New Secure Boot flaw lets attackers install bootkit malware, patch now

BnkInfoSecurity

Researchers Spot Serious UEFI Secure Boot Bypass Flaw

Tom's Hardware

Secure Boot key compromised in 2022 is still in use in over 200 ...

May 2025 Patch Tuesday Updates Fix 5 Zero-Day Flaws

petri.com

Critical Bypass Allows Malware Installation

The patched vulnerability stems from a legitimate BIOS update utility signed with Microsoft's widely-trusted certificate that reads user-writable memory without validation1. Attackers with administrative access can exploit this to disable Secure Boot entirely, clearing the path for bootkit malware that operates before the operating system loads.

"By setting it to zero, we effectively disable Secure Boot, allowing the execution of any unsigned UEFI modules," Binarly explained in its technical analysis1. The vulnerable module has circulated undetected since late 2022, according to BleepingComputer1.

Binarly researcher Alex Matrosov discovered the flaw and reported it to CERT/CC in February1. During Microsoft's investigation, the company determined the issue affected 13 additional modules beyond the original finding1.

1 source

Second Exploit Remains Active

While Microsoft addressed CVE-2025-3052, another Secure Boot bypass dubbed "Hydroph0bia" continues to threaten systems running Insyde H2O firmware1. Security researcher Nikolaj Schlej disclosed CVE-2025-4275 Tuesday, though Insyde patched the vulnerability 90 days after disclosure1.

The Hydroph0bia flaw affects UEFI-compatible firmware based on Insyde's H2O platform, representing a separate attack vector from the Microsoft-patched vulnerability1.

1 source

Pattern of Persistent Vulnerabilities

Tuesday's patches continue a troubling pattern of Secure Boot compromises. Earlier this year, Microsoft fixed CVE-2024-7344, present in multiple system recovery tools1. In 2022, researchers revealed that over 200 device models from major manufacturers used compromised cryptographic keys, with some using test keys marked "DO NOT SHIP"23.

Security Week reported that the patched flaw was part of a larger Patch Tuesday addressing 66 vulnerabilities, including nine critical-severity flaws with remote code execution capabilities4.

"If the key will be leaked, it's impacting the ecosystem. It's not impacting a single device," Matrosov told Tom's Hardware in reference to previous Secure Boot compromises2.

Microsoft and Binarly urged immediate installation of the updated revocation database to protect against the newly patched exploit5.

5 sources

Why does the second exploit "Hydroph0bia" still threaten Insyde H2O firmware systems

How might the unpatched Secure Boot flaw enable persistent bootkit malware attacks

What are the long-term risks of compromised cryptographic keys in Secure Boot history

Discover more

Microsoft Outlook restored after 11-hour global outage

Microsoft Outlook users worldwide regained access to their email accounts Thursday afternoon following an 11-hour outage that began Wednesday evening, marking one of the service's longest disruptions in recent memory. The company attributed the widespread blackout to a misconfigured mailbox infrastructure setting that prevented authentication across multiple platforms. The outage began at 6:20...

3,448

ServiceNow patches high-severity flaw affecting Fortune 500s

ServiceNow issued a CVE designation on July 8 for a high-severity vulnerability that security researchers say could have exposed sensitive data across hundreds of tables in the widely-used enterprise platform. The flaw, dubbed "Count(er) Strike" by Varonis researchers who discovered it, exploits weaknesses in ServiceNow's access control logic to allow low-privileged users to extract restricted...

Adobe patches 58 vulnerabilities, 3 critical flaws

Adobe released security patches on Tuesday for 58 vulnerabilities across 13 products, including three critical flaws that could allow hackers to execute malicious code on users' computers. The most severe vulnerability, tracked as CVE-2025-27203, affects Adobe Connect and carries a CVSS severity score of 9.3 out of 10. The patches address a wave of code execution bugs that security experts warn...

194

National Grid ignored 7-year warning before Heathrow fire

A fire that forced the closure of Europe's busiest airport and stranded more than 200,000 passengers was caused by a technical fault that National Grid had known about for seven years but failed to fix, according to a damning report released Wednesday. The National Energy System Operator found that moisture detected at the North Hyde electrical substation in July 2018 ultimately caused the...

7,614