Motherboards from several major vendors are affected by a vulnerability that can allow a threat actor to conduct early-boot attacks.
According to an advisory published on Wednesday by Carnegie Mellon University’s CERT/CC, an attacker can exploit the vulnerability to access data in memory or influence the initial state of the system.
The security hole could allow an attacker to obtain sensitive data and conduct pre-boot code injection.
While the issue may sound critical as it undermines the integrity of the boot process and allows attacks to be conducted prior to the operating system’s defenses being loaded, exploitation requires physical access to the targeted device.
Specifically, a local attacker needs to be able to connect a malicious PCI Express (PCIe) device to a computer with a vulnerable motherboard.
[ Read: Intel, AMD Processors Affected by PCIe Vulnerabilities ]
ASRock, Asus, Gigabyte, and MSI have confirmed that some of their motherboards are affected. Each vendor has released its own advisory to inform customers about the vulnerability and the availability of firmware patches.
According to the CERT/CC advisory, products from AMD, AMI, Insyde, Intel, Phoenix Technologies, and Supermicro are not impacted. Over a dozen vendors currently have an ‘unknown’ status.
Technical details
The vulnerability, described as a protection mechanism failure, is related to UEFI implementations and the Input-Output Memory Management Unit (IOMMU), which is designed to prevent malicious memory access from peripheral devices.
The problem is that during the boot process the firmware indicates that direct memory access (DMA) protections are enabled, when in reality the IOMMU is not properly configured and activated until immediately before control is handed over to the operating system.
This allows an attacker who has physical access to the targeted system to use a malicious PCIe device to conduct a DMA attack.
CERT/CC explained in its advisory:
“In environments where physical access cannot be fully controlled or relied on, prompt patching and adherence to hardware security best practices are especially important. Because the IOMMU also plays a foundational role in isolation and trust delegation in virtualized and cloud environments, this flaw highlights the importance of ensuring correct firmware configuration even on systems not typically used in data centers.”
The CVE identifiers CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304 have been assigned to the vulnerability.
The issue was responsibly disclosed by researchers from Riot Games.
Related: Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack
Related: Flaw in Industrial Computer Maker’s UEFI Apps Enables Secure Boot Bypass on Many Devices
Related: MITRE Updates List of Most Common Hardware Weaknesses
