Researchers in Microsoft’s threat intelligence team say they are using AI technologies to uncover security vulnerabilities in popular open-source bootloaders, including GRUB2, U-boot, and Barebox.
Using its Security Copilot tool, the Microsoft team pinpointed at least 20 critical vulnerabilities in open-source bootloaders (including GRUB2, U-boot, and Barebox) in UEFI Secure Boot systems and widely deployed in embedded and IoT devices.
“The vulnerabilities found in the GRUB2 bootloader (commonly used as a Linux bootloader) and U-boot and Barebox bootloaders (commonly used for embedded systems), could allow threat actors to gain and execute arbitrary code,” the company said.
The research project, which combined static code analysis, fuzzing, and AI-driven prompts, saved the research team nearly a week’s worth of manual effort and the company said the AI tool not only flagged potential issues but also helped pinpoint specific vulnerabilities that could be exploited to override critical security mechanisms.
Redmond’s researchers focused on bootloader functionalities such as filesystem parsing, a common weak point where memory safety vulnerabilities exist. In one case, Microsoft’s threat-intel team discovered an integer overflow that could let attackers execute arbitrary code, potentially bypassing Secure Boot protections and installing stealthy bootkits.
“Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings. This efficient process allowed us to confirm several additional vulnerabilities and extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2,” the company said.
“The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities,” Microsoft said.
“It could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement.”
While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker.
Redmond said its researchers worked with GRUB2 maintainers on security updates released in mid-February. Separately, U-boot and Barebox maintainers released updates on February 19, 2025.
The company held up the findings as a showcase of “efficiency, streamlined workflows, and improved capabilities” provided by AI-based products.
Related: Google Brings AI Magic to Fuzz Testing With Eye-Opening Results
Related: OpenAI Offering $100K Bounties for Critical Vulnerabilities
Related: Can AI Early Warning Systems Reboot the Threat Intel Industry?
Related: AI Won’t Take This Job: Human Ingenuity Crucial to Red-Teaming
