Microsoft has addressed a critical vulnerability in Secure Boot that could be exploited by attackers to disable security protections and deploy persistent bootkit malware across a wide range of systems.

The flaw, uncovered by cybersecurity firm Binarly, involved a legitimate BIOS update utility signed with Microsoft’s UEFI CA 2011 certificate. This certificate is pivotal in the UEFI Secure Boot process, ensuring only trusted bootloaders and low-level software run during startup.

According to Binarly, the utility is trusted on most modern devices using UEFI firmware. However, a significant issue arose due to the utility’s ability to access a user-writable NVRAM variable without adequate validation. “This means an attacker with administrative privileges could manipulate the variable and write arbitrary data during the boot process,” the researchers explained.

By exploiting the vulnerability, Binarly demonstrated that Secure Boot could be deactivated, allowing any unsigned UEFI code to execute. This opens the door for stealthy bootkit malware that persists even after hard drive replacements. The affected module had been active since 2022 and was uploaded to VirusTotal in 2024 before being disclosed to Microsoft in February 2025.

The flaw has been formally logged as CVE-2025-3052 with a high severity score of 8.2 out of 10. Microsoft included the fix in its June 2025 Patch Tuesday update, addressing this and other newly discovered issues.

"During the triage process, Microsoft determined that the issue did not affect just a single module as initially believed, but actually 14 different modules," Binarly said. "For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes."

With all affected modules now patched, Microsoft has significantly reduced the risk of attackers using this Secure Boot vulnerability to compromise system integrity.