Critical UEFI Security Flaw Let Hackers Bypass Protection

ESET researchers have uncovered a critical vulnerability (CVE-2024-7344) affecting most UEFI-based systems, allowing attackers to bypass the Secure Boot mechanism. The flaw, found in a UEFI application signed by Microsoft’s third-party UEFI certificate authority, enables malicious actors to execute untrusted code during system startup. This could lead to the deployment of UEFI bootkits, such as Bootkitty or BlackLotus, even on systems with Secure Boot enabled.

The vulnerability was reported to the CERT Coordination Center (CERT/CC) in June 2024. Following this, affected vendors were contacted, and the issue was resolved. Microsoft revoked the vulnerable binaries in its Patch Tuesday update on 14 January 2025.

The compromised UEFI application was part of system recovery tools developed by companies such as Howyar Technologies, Greenware Technologies, Radix Technologies, SANFONG Inc., and others.

“The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier,” stated ESET researcher Martin Smolár, who discovered the vulnerability. “However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn’t the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.”

Attackers can exploit this flaw by introducing the vulnerable binary to any UEFI system with Microsoft’s third-party UEFI certificate enabled. However, deploying malicious files requires elevated privileges—administrator access on Windows or root access on Linux. The vulnerability arises from the use of a custom program loader instead of standard, secure UEFI functions.

Systems can be protected by installing the latest updates. Windows devices are updated automatically, while Linux users can access firmware updates via the Linux Vendor Firmware Service. More details are available in Microsoft’s advisory on CVE-2024-7344.