Researchers discovered two publicly available methods that allow attackers to bypass Secure Boot security completely. This mechanism is specifically designed to ensure that devices only load secure operating systems during startup.
Microsoft is taking action against one of these vulnerabilities, Ars Technica reports. The other one is being left untouched for now. During its monthly security update on Tuesday, Microsoft released a fix for CVE-2025-3052. This vulnerability enables attackers with physical access to disable Secure Boot on over 50 different devices. This opens the door to installing malicious software that is already active before the operating system loads.
This type of attack, often referred to as an “evil maid” attack, is exactly the kind of risk that Secure Boot is designed to prevent. If an attacker already has administrator rights on a system, this vulnerability can be exploited remotely, making the attack even more stealthy and powerful.
Tool may have been available for some time
The cause lies in a serious security flaw in a firmware tool from DT Research, a manufacturer of rugged mobile devices. This tool has been available on VirusTotal since last year and was digitally signed in 2022. This indicates that the tool may have been available through other channels earlier.
Although this tool was originally intended only for DT Research devices, it is executed by most Windows and Linux systems during the booting process. This is because the module is signed with a Microsoft certificate (Microsoft Corporation UEFI CA 2011), which is present by default on many systems.
This certificate is used to authenticate so-called shims for loading Linux. Manufacturers install this certificate to ensure compatibility with Linux. The patch that Microsoft is now releasing adds 14 variants of this firmware tool to a blacklist (DBX), which includes signed but now untrustworthy modules.
Secure Boot was introduced over ten years ago by a consortium of companies. It uses public key cryptography. It prevents code without an approved digital signature from being loaded during startup. The system establishes a chain of trust between the device’s hardware and its software or firmware. Each link in that chain must be signed with a certificate approved by the manufacturer. Microsoft requires Secure Boot to be enabled by default. In some countries, this is even a requirement in government certification programs.
Second vulnerability
Researcher Zack Didcott discovered the second vulnerability. Earlier this month, he described how CVE-2025-47827 originates from an IGEL Linux kernel module intended for managing their volume layout. Microsoft also signs the initial shim that loads GRUB and the vulnerable kernel.