- Binarly spotted multiple flaws in UEFI firmware built by AMI
- AMI released fixes months ago, so users should update now
- Many Gigabyte motherboards reached EOF and thus won’t be patched
UEFI firmware on dozens of Gigabyte motherboards is vulnerable to a handful of flaws which theoretically allow threat actors to deploy bootkits on compromised devices, establish stubborn persistence and execute additional malicious code remotely, experts have warned.
Security researchers Binarly recently discovered four vulnerabilities in UEFI firmware developed by American Megatrends Inc. (AMI). All four have a high severity score (8.2/10), and can lead to privilege escalation, malware installation, and other potentially destructive outcomes. They are tracked as CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7028.
Binarly reported its findings to Carnegie Mellon CERT/CC in mid-April 2025, resulting in AMI acknowledging the findings and releasing a patch in mid-June. The patch was pushed to OEMs privately, but apparently Gigabyte did not implement it at the time.
Hundreds of motherboard models affected
There are apparently more than 240 motherboard models that are impacted by these flaws.
Many won’t be patched at all because they have reached end of life, and as such, are no longer supported by Gigabyte. Instead, users worried about the vulnerabilities should upgrade their hardware to newer, supported versions.
Products from other OEMs are also said to be affected by these flaws, but until a patch is applied, their names will not be publicized.
UEFI firmware is low-level code that runs beneath the operating system, and whose job is to initialize the hardware (CPU, memory, storage), and then hand off control to the OS. When this code has flaws, threat actors can exploit them to install so-called “bootkits”, stealthy malware that loads at boot time, before the OS.
Because they run in privileged environments, bootkits can evade antivirus tools, and even survive OS reinstalls and disk replacements. This makes them highly persistent and dangerous, especially in high-security environments. The good news is that exploiting these vulnerabilities often requires admin access, which is not that easily obtainable.
Via BleepingComputer
