Vulnerable UEFI firmware applications from DTResearch, a company that makes rugged tablets, laptops and other industrial computers, can be leveraged to bypass Secure Boot on many devices.
The vulnerability, tracked as CVE-2025-3052, was disclosed on Tuesday by CERT/CC and Binarly, the firmware security firm whose researchers discovered the issue.
Binarly researchers found that two UEFI applications made by DTResearch and signed with Microsoft’s third-party UEFI certificate are affected by a vulnerability that can be exploited using specially crafted NVRAM variables, which store configuration, device customization, and runtime context data that needs to persist across reboots of the device.
An attacker who has access to the targeted system can exploit CVE-2025-3052 — through a Bring Your Own Vulnerable Driver (BYOVD) attack — to modify a specific NVRAM variable that enables a bypass of Secure Boot during the boot process.
Secure Boot is a security feature that protects the boot process by verifying the authenticity and integrity of software before it’s loaded. Bypassing Secure Boot enables the attacker to run malicious code before the OS loads, allowing them to plant persistent malware or kernel rootkits. This type of malware would not be detected by endpoint security systems.
“Thinking about it, this situation is quite unique and it highlights, once again, the complexities surrounding the UEFI supply chain security, where a mistake by one vendor can affect the entire ecosystem, except for the vendor itself!,” Binarly said.
The company has made a video showing the exploit in action:
Microsoft on Tuesday rolled out mitigations — specifically, it added hashes associated with 14 problematic DTResearch files to its Forbidden Signature Database (DBX) to prevent the loading of the vulnerable applications. Red Hat said it’s also working on a DBX update.
Binarly pointed out that CVE-2025-3052 exploitation is likely possible on most devices that support UEFI. On some systems, such as Insyde-based devices, where the targeted NVRAM variable is often locked and read-only, the vulnerability cannot be exploited.
DTResearch noted that the vulnerable applications are actually only meant to be used on devices with Insyde UEFI. In addition, the vendor said, Microsoft’s actions should prevent the binaries from running on other types of systems.
CERT/CC on Tuesday also published an advisory to describe another UEFI firmware application vulnerability involving NVRAM variables. Researcher Nikolaj Schlej discovered that the security hole, impacting an Insyde H2O UEFI firmware application, can be exploited for a Secure Boot bypass.
Related: PKfail Vulnerability Allows Secure Boot Bypass on Hundreds of Computer Models
Related: Hundreds of PC, Server Models Possibly Affected by Serious Phoenix UEFI Vulnerability
Related: Prototype UEFI Bootkit is South Korean University Project; LogoFAIL Exploit Discovered
